13241300x80000000000000001421177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5ec9925b) 13241300x80000000000000001421176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001421175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001421174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001421173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001421172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5ec9925b) 13241300x80000000000000001421171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.045{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5ec9925b) 13241300x80000000000000001421170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.029{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x80000000000000001421169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.029{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x80000000000000001421168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.029{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x80000000000000001421167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:09.826{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x80000000000000001421166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.826{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x80000000000000001421165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.826{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5ea83141) 13241300x80000000000000001421164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.826{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5ea83141) 13241300x80000000000000001421163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.748{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.748{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001421161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.748{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x80000000000000001421160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.748{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.717{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x80000000000000001421158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.717{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x80000000000000001421157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.623{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001421156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.623{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001421155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.623{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001421154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001421152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001421151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001421148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x80000000000000001421147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.576{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.435{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x80000000000000001421145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001421144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x80000000000000001421143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{535b097b-1c18-11ec-ab2e-806e6f6e6963}#0000000000100000 13241300x80000000000000001421142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001421141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x80000000000000001421140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:09.170{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{535b097b-1c18-11ec-ab2e-806e6f6e6963}#0000000000100000 434400x80000000000000001421139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local2021-09-29 07:41:15.922Started13.014.50 10341000x80000000000000001422093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.771{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001422057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.766{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.750{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189C-6154-3600-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189C-6154-3600-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-189C-6154-3500-00000000FE01}28242820C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-189C-6154-3600-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.748{69CF5F33-189C-6154-3600-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189C-6154-3500-00000000FE01}2824C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001422034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189C-6154-3500-00000000FE01}2824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189C-6154-3500-00000000FE01}2824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-189C-6154-3400-00000000FE01}24082472C:\Windows\system32\cmd.exe{69CF5F33-189C-6154-3500-00000000FE01}2824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.742{69CF5F33-189C-6154-3500-00000000FE01}2824C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189C-6154-3400-00000000FE01}2408C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001422030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189C-6154-3400-00000000FE01}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189C-6154-3400-00000000FE01}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-189B-6154-2D00-00000000FE01}29002904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189C-6154-3400-00000000FE01}2408C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.736{69CF5F33-189C-6154-3400-00000000FE01}2408C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001422017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.702{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.687{69CF5F33-189C-6154-3300-00000000FE01}30403044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.671{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.655{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.640{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.607{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.592{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.576{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.434{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.419{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.418{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.402{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.402{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.402{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3040C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.402{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3040C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.402{69CF5F33-189C-6154-3200-00000000FE01}30203024C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}3040C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.404{69CF5F33-189C-6154-3300-00000000FE01}3040C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189C-6154-3200-00000000FE01}3020C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001421886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{00000000-0000-0000-0000-000000000000}30083012C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}3020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.398{69CF5F33-189C-6154-3200-00000000FE01}3020C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189C-6154-3100-00000000FE01}3008C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001421873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.386{69CF5F33-189B-6154-2D00-00000000FE01}29002904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}3008C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.391{69CF5F33-189C-6154-3100-00000000FE01}3008C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001421869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.371{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.308{69CF5F33-189C-6154-3000-00000000FE01}29602964C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.208{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.208{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.208{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.208{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.207{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.207{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.207{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.207{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.207{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.175{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.128{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.112{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.080{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.064{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-189C-6154-2F00-00000000FE01}29362940C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}2960C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.028{69CF5F33-189C-6154-3000-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189C-6154-2F00-00000000FE01}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001421738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189C-6154-2F00-00000000FE01}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189C-6154-2F00-00000000FE01}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-189C-6154-2E00-00000000FE01}29242928C:\Windows\system32\cmd.exe{69CF5F33-189C-6154-2F00-00000000FE01}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.016{69CF5F33-189C-6154-2F00-00000000FE01}2936C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189C-6154-2E00-00000000FE01}2924C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001421732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.017{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.002{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}2924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.002{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.002{69CF5F33-189B-6154-2D00-00000000FE01}29002904C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}2924C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.007{69CF5F33-189C-6154-2E00-00000000FE01}2924C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001421721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-189B-6154-2C00-00000000FE01}28802884C:\Windows\system32\cmd.exe{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.994{69CF5F33-189B-6154-2D00-00000000FE01}2900C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{69CF5F33-189B-6154-2C00-00000000FE01}2880C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001421717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2C00-00000000FE01}2880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2C00-00000000FE01}2880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.986{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-189B-6154-2C00-00000000FE01}2880C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.988{69CF5F33-189B-6154-2C00-00000000FE01}2880C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000001421713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:15.969{69CF5F33-1899-6154-1100-00000000FE01}972\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x80000000000000001421712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.969{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:15.969{69CF5F33-1898-6154-0A00-00000000FE01}628\Winsock2\CatalogChangeListener-274-0C:\Windows\system32\services.exe 10341000x80000000000000001421710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.969{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2B00-00000000FE01}2832C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.969{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.938{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.938{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.938{69CF5F33-189B-6154-2900-00000000FE01}26682704C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2A00-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.938{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2A00-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.938{69CF5F33-189B-6154-2800-00000000FE01}26522656C:\Windows\system32\cmd.exe{69CF5F33-189B-6154-2A00-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.935{69CF5F33-189B-6154-2A00-00000000FE01}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{69CF5F33-189B-6154-2800-00000000FE01}2652C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001421702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.922{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.922{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.922{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.907{69CF5F33-189B-6154-2900-00000000FE01}26682704C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2800-00000000FE01}2652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.891{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.891{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.891{69CF5F33-189A-6154-1C00-00000000FE01}19401944C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{00000000-0000-0000-0000-000000000000}2652C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.896{69CF5F33-189B-6154-2800-00000000FE01}2652C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001421694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.876{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.876{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.883{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001421690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001421688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001421687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001421685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001421684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.701{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 11241100x80000000000000001421683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.686{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2021-09-29 07:41:15.686 10341000x80000000000000001421682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.606{69CF5F33-189B-6154-2600-00000000FE01}25042524C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.606{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001421680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.591{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2600-00000000FE01}2504C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.591{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.591{69CF5F33-1899-6154-1100-00000000FE01}9721464C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.575{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.575{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.560{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.560{69CF5F33-1898-6154-0A00-00000000FE01}628928C:\Windows\system32\services.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.943{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-1400-00000000FE01}3681556C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001421671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.527{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.512{69CF5F33-1899-6154-1400-00000000FE01}3681232C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001421656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.512{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.496{69CF5F33-189B-6154-2300-00000000FE01}23362356C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.480{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2300-00000000FE01}2336C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001421639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.465{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000774) 10341000x80000000000000001421638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.465{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.465{69CF5F33-1899-6154-1100-00000000FE01}9721464C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.465{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.465{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.449{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.449{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.449{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.433{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001421630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.433{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.433{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000773) 10341000x80000000000000001421628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.433{69CF5F33-189B-6154-2100-00000000FE01}22642292C:\Windows\system32\conhost.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.433{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.433{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.400{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2100-00000000FE01}2264C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001421624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c}Binary Data 13241300x80000000000000001421623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3}Binary Data 13241300x80000000000000001421622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7}Binary Data 13241300x80000000000000001421621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b}Binary Data 13241300x80000000000000001421620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2dd96961-5757-434f-b617-34e732517c0e}Binary Data 13241300x80000000000000001421619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad}Binary Data 13241300x80000000000000001421618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d}Binary Data 13241300x80000000000000001421617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e}Binary Data 13241300x80000000000000001421616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca}Binary Data 13241300x80000000000000001421615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d}Binary Data 13241300x80000000000000001421614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e}Binary Data 13241300x80000000000000001421613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6}Binary Data 13241300x80000000000000001421612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e}Binary Data 13241300x80000000000000001421611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676}Binary Data 13241300x80000000000000001421610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c}Binary Data 13241300x80000000000000001421609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3}Binary Data 13241300x80000000000000001421608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{3697a558-3ed3-49be-a4c1-c1a4448653b4}Binary Data 13241300x80000000000000001421607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6fdab6b-dcc6-43e3-99ce-7aeca65063a4}Binary Data 13241300x80000000000000001421606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7}Binary Data 13241300x80000000000000001421605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b}Binary Data 13241300x80000000000000001421604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{375fb39b-08c6-40f2-bdf2-08fa63f970a2}Binary Data 13241300x80000000000000001421603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2dd96961-5757-434f-b617-34e732517c0e}Binary Data 13241300x80000000000000001421602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{cbfb56db-3c85-4543-9bc2-76ea28cdd74e}Binary Data 13241300x80000000000000001421601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{13bfd422-6f75-4408-8924-9400ec0cb19c}Binary Data 13241300x80000000000000001421600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{64e55933-15a5-495d-a928-ccca43d44875}Binary Data 13241300x80000000000000001421599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{91ffecf0-0a9e-4572-95f1-a7111af86967}Binary Data 13241300x80000000000000001421598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad}Binary Data 13241300x80000000000000001421597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d}Binary Data 13241300x80000000000000001421596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e}Binary Data 13241300x80000000000000001421595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca}Binary Data 13241300x80000000000000001421594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0aa7fff8-919f-453c-928c-28a12122ba38}Binary Data 13241300x80000000000000001421593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6b2ca61-fb98-4422-adc2-e7cf56b3680c}Binary Data 13241300x80000000000000001421592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{5b0cb2e2-ab87-4974-9f1c-2f22a654eeb9}Binary Data 13241300x80000000000000001421591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{07a24961-a760-4e80-b263-6d275e1b09cb}Binary Data 13241300x80000000000000001421590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{1165065e-4996-4338-abaf-4b8556b4d431}Binary Data 13241300x80000000000000001421589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{716b48eb-0a35-4a76-92ab-1d987230d288}Binary Data 13241300x80000000000000001421588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.385{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{be7cbdf4-b192-4aa5-94f8-1fb5c5ee07bc}Binary Data 13241300x80000000000000001421587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{4d9581d2-aef8-4993-84cd-b986ced80d42}Binary Data 13241300x80000000000000001421586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d}Binary Data 13241300x80000000000000001421585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e}Binary Data 13241300x80000000000000001421584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6}Binary Data 13241300x80000000000000001421583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e}Binary Data 13241300x80000000000000001421582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{f444c576-6e60-4ea2-9faa-80d57ed12cd2}Binary Data 13241300x80000000000000001421581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.369{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676}Binary Data 13241300x80000000000000001421580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.338{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 10341000x80000000000000001421579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.338{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.338{69CF5F33-1899-6154-1100-00000000FE01}972392C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.322{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.216{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.216{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.215{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.215{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.211{69CF5F33-1898-6154-0A00-00000000FE01}6281012C:\Windows\system32\services.exe{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.209{69CF5F33-189A-6154-1B00-00000000FE01}19322088C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001421565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.209{69CF5F33-189A-6154-1B00-00000000FE01}19322088C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001421564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.204{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.204{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.201{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.201{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.200{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.200{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.199{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.199{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.194{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.194{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.141{69CF5F33-1899-6154-1400-00000000FE01}3681492C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.140{69CF5F33-1899-6154-1400-00000000FE01}3681492C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.132{69CF5F33-1899-6154-1100-00000000FE01}9721568C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:15.123{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001421550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:15.123{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001421549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.107{69CF5F33-1899-6154-1400-00000000FE01}3681492C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.107{69CF5F33-1899-6154-1400-00000000FE01}3681492C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.107{69CF5F33-1899-6154-1400-00000000FE01}3681492C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:15.107{69CF5F33-1899-6154-1200-00000000FE01}1020\trkwksC:\Windows\System32\svchost.exe 10341000x80000000000000001421545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.091{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.091{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.933{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BBAE700ACE8ED78E8ADF1DEFFB197405,SHA256=6A681197092F46092D23CC95FF245F81C1AE7C7F302411757D035CA2908DFB14,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.076{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.076{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:15.060{69CF5F33-189A-6154-1900-00000000FE01}1804\Winsock2\CatalogChangeListener-70c-0C:\Windows\System32\spoolsv.exe 10341000x80000000000000001421538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0A00-00000000FE01}6282040C:\Windows\system32\services.exe{69CF5F33-189A-6154-1A00-00000000FE01}1900C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0A00-00000000FE01}6282036C:\Windows\system32\services.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.060{69CF5F33-1898-6154-0A00-00000000FE01}6282028C:\Windows\system32\services.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.013{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.013{69CF5F33-1898-6154-0A00-00000000FE01}628404C:\Windows\system32\services.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.976{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.998{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0A00-00000000FE01}6281012C:\Windows\system32\services.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.976{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.967{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.920{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.920{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.920{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.904{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001421504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.904{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001421503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.904{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x000001fe) 10341000x80000000000000001421502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.857{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1A00-00000000FE01}1900C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.857{69CF5F33-1898-6154-0A00-00000000FE01}6281004C:\Windows\system32\services.exe{69CF5F33-189A-6154-1A00-00000000FE01}1900C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.852{69CF5F33-189A-6154-1A00-00000000FE01}1900C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.826{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.826{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.826{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.826{69CF5F33-1899-6154-1100-00000000FE01}972\SessEnvPublicRpcC:\Windows\system32\svchost.exe 10341000x80000000000000001421495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.810{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.810{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.810{69CF5F33-1899-6154-1100-00000000FE01}972\Winsock2\CatalogChangeListener-3cc-0C:\Windows\system32\svchost.exe 10341000x80000000000000001421492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.810{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.810{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.779{69CF5F33-1898-6154-0A00-00000000FE01}6281004C:\Windows\system32\services.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.779{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 10341000x80000000000000001421488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.748{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.748{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.742{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe10.0.14393.4651 (rs1_release.210911-1554)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=0C3141349E7A2F8309DA835E23BE970F,SHA256=463992A62AC5BFFB8808DEAF8A58A8B52A7B0D3230D655CE98EF0B6A03C5A0B7,IMPHASH=EBCD1C1E4D3D83A9A5CC73CADF7A4B4D{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.732{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.732{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.732{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.732{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.678{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 11241100x80000000000000001421480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT10532021-09-29 07:41:14.623{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 17141700x80000000000000001421479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.623{69CF5F33-1898-6154-0B00-00000000FE01}636\Winsock2\CatalogChangeListener-27c-0C:\Windows\system32\lsass.exe 17141700x80000000000000001421478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.623{69CF5F33-1899-6154-1100-00000000FE01}972\atsvcC:\Windows\system32\svchost.exe 10341000x80000000000000001421477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0A00-00000000FE01}6281012C:\Windows\system32\services.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0A00-00000000FE01}628932C:\Windows\system32\services.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001421473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.607{69CF5F33-1899-6154-1000-00000000FE01}964\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x80000000000000001421472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:14.607{69CF5F33-1899-6154-1000-00000000FE01}964\TermSrv_API_serviceC:\Windows\System32\svchost.exe 13241300x80000000000000001421471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.607{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001421470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.607{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001421469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0A00-00000000FE01}628704C:\Windows\system32\services.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.607{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.591{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.560{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.560{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.560{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.560{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.560{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.545{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.529{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.529{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.529{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.529{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001421448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.498{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.498{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.498{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x80000000000000001421444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x80000000000000001421443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x80000000000000001421442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001421441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x80000000000000001421440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x80000000000000001421439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.466{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.466{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.466{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.466{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.466{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.451{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.451{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.451{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.420{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.420{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.420{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.420{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x80000000000000001421427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.420{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpGatewayHardwareBinary Data 12241200x80000000000000001421426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.420{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpGatewayHardwareCount 12241200x80000000000000001421425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.420{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpGatewayHardware 10341000x80000000000000001421424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.404{69CF5F33-1898-6154-0A00-00000000FE01}6281012C:\Windows\system32\services.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.404{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001421422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.404{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001421421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.404{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001421420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.404{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.404{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.404{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.388{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.376{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.376{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.357{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.357{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.357{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.357{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.357{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001421409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.357{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001421408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.357{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001421407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.357{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.357{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.341{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.341{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x80000000000000001421403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.341{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001421402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.341{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001421400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001421399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001421398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001421397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001421396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001421395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001421394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x615426aa) 13241300x80000000000000001421393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x615424e8) 13241300x80000000000000001421392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x61541fa2) 13241300x80000000000000001421391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x6154189a) 13241300x80000000000000001421390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000e10) 13241300x80000000000000001421389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer10.0.1.1 13241300x80000000000000001421388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001421387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress10.0.1.15 13241300x80000000000000001421386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptionsBinary Data 13241300x80000000000000001421385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMaskOptBinary Data 13241300x80000000000000001421384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpDefaultGatewayBinary Data 13241300x80000000000000001421383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpNameServer10.0.0.2 13241300x80000000000000001421382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x80000000000000001421381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpDomaineu-central-1.compute.internal 13241300x80000000000000001421380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001421379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomaineu-central-1.compute.internal 13241300x80000000000000001421378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.326{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000001421377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.326{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.326{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.326{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.312{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.312{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.312{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001421370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001421369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001421368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x80000000000000001421367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T2DWORD (0x00000000) 13241300x80000000000000001421366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\T1DWORD (0x00000000) 13241300x80000000000000001421365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseObtainedTimeDWORD (0x00000000) 13241300x80000000000000001421364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\LeaseDWORD (0x00000000) 13241300x80000000000000001421363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpServer255.255.255.255 13241300x80000000000000001421362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMask255.0.0.0 13241300x80000000000000001421361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpIPAddress0.0.0.0 12241200x80000000000000001421360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpInterfaceOptions 13241300x80000000000000001421359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 12241200x80000000000000001421358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpDefaultGateway 12241200x80000000000000001421357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpSubnetMaskOpt 13241300x80000000000000001421356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\Dhcpv6StateDWORD (0x00000001) 12241200x80000000000000001421355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpDomain 12241200x80000000000000001421354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x80000000000000001421353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\DhcpNameServer 12241200x80000000000000001421352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x80000000000000001421351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.295{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{a4d02fec-9cce-49e7-8a81-fd08ff1edcb1}\Dhcpv6StateDWORD (0x00000000) 10341000x80000000000000001421350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.295{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.279{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.279{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.279{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.263{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000001421345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.263{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.263{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.248{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.248{69CF5F33-1898-6154-0A00-00000000FE01}628720C:\Windows\system32\services.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.232{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.107{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.107{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.107{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.107{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:14.107{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x80000000000000001421330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.091{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.091{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.060{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.060{69CF5F33-1898-6154-0A00-00000000FE01}628936C:\Windows\system32\services.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.060{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.060{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.060{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.045{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.045{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.029{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.029{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.029{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.029{69CF5F33-1898-6154-0A00-00000000FE01}628704C:\Windows\system32\services.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.029{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1898-6154-0A00-00000000FE01}628704C:\Windows\system32\services.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1898-6154-0A00-00000000FE01}628720C:\Windows\system32\services.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:14.013{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.982{69CF5F33-1899-6154-0E00-00000000FE01}892388C:\Windows\system32\LogonUI.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.967{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.967{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.967{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.967{69CF5F33-1898-6154-0A00-00000000FE01}628944C:\Windows\system32\services.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.972{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{69CF5F33-1899-6154-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1898-6154-0A00-00000000FE01}628308C:\Windows\system32\services.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1898-6154-0A00-00000000FE01}6281012C:\Windows\system32\services.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.952{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.936{69CF5F33-1898-6154-0A00-00000000FE01}6281004C:\Windows\system32\services.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.936{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0A00-00000000FE01}628720C:\Windows\system32\services.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0800-00000000FE01}500516C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.927{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{69CF5F33-1899-6154-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636712C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0900-00000000FE01}576876C:\Windows\system32\winlogon.exe{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.924{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{69CF5F33-1899-6154-58C1-000000000000}0xc1581SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001421278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636676C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.920{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.888{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.888{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1898-6154-0800-00000000FE01}500596C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1898-6154-0900-00000000FE01}576580C:\Windows\system32\winlogon.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.876{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3bc9055 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001421263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.873{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.763{69CF5F33-1899-6154-0C00-00000000FE01}732764C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.763{69CF5F33-1899-6154-0C00-00000000FE01}732764C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.763{69CF5F33-1899-6154-0C00-00000000FE01}732764C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.763{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0800-00000000FE01}500C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.763{69CF5F33-1899-6154-0C00-00000000FE01}732764C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0800-00000000FE01}500C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1899-6154-0C00-00000000FE01}732832C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.748{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001421247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:13.701{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001421246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:13.701{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001421245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.670{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.670{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.670{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+480e8|c:\windows\system32\rpcss.dll+3c003|c:\windows\system32\rpcss.dll+3bf6e|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.654{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.654{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.654{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.638{69CF5F33-1898-6154-0A00-00000000FE01}628720C:\Windows\system32\services.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.623{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.623{69CF5F33-1898-6154-0A00-00000000FE01}628632C:\Windows\system32\services.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.607{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.607{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.591{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.591{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.435{69CF5F33-1898-6154-0A00-00000000FE01}628720C:\Windows\system32\services.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0A00-00000000FE01}628632C:\Windows\system32\services.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.428{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001421228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.420{69CF5F33-1898-6154-0B00-00000000FE01}636716C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.404{69CF5F33-1898-6154-0B00-00000000FE01}636684C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.404{69CF5F33-1898-6154-0B00-00000000FE01}636684C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001421222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT1101SetValue2021-09-29 07:41:13.391{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Control\Lsa\ProductTypeDWORD (0x00000008) 10341000x80000000000000001421221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.998{69CF5F33-1898-6154-0B00-00000000FE01}636640C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+4f6ac|C:\Windows\system32\lsasrv.dll+5815f|C:\Windows\system32\lsasrv.dll+6369e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.888{69CF5F33-1898-6154-0700-00000000FE01}492496C:\Windows\system32\wininit.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001421219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.888{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.888{69CF5F33-1898-6154-0700-00000000FE01}492496C:\Windows\system32\wininit.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.891{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001421216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.826{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.826{69CF5F33-1898-6154-0700-00000000FE01}492496C:\Windows\system32\wininit.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001421214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.827{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001421213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.638{69CF5F33-1898-6154-0600-00000000FE01}484488C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.634{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{69CF5F33-1898-6154-0600-00000000FE01}484C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000dc 0000007c 10341000x80000000000000001421211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.623{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0800-00000000FE01}500C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001421210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.591{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x80000000000000001421209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.591{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-host-542 10341000x80000000000000001421208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.591{69CF5F33-1898-6154-0400-00000000FE01}412416C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.589{69CF5F33-1898-6154-0700-00000000FE01}492C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{69CF5F33-1898-6154-0400-00000000FE01}412C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000078 0000007c 10341000x80000000000000001421206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.591{69CF5F33-1898-6154-0600-00000000FE01}484488C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0800-00000000FE01}500C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.592{69CF5F33-1898-6154-0800-00000000FE01}500C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{69CF5F33-1898-6154-0600-00000000FE01}484C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000000dc 0000007c 10341000x80000000000000001421204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.576{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0600-00000000FE01}484C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.576{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0600-00000000FE01}484C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.586{69CF5F33-1898-6154-0600-00000000FE01}484C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000000dc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{69CF5F33-1895-6154-0200-00000000FE01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000001421201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.576{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001421200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x603d8069) 13241300x80000000000000001421199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x80000000000000001421198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 13241300x80000000000000001421197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001421196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x80000000000000001421195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:12.482{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 10341000x80000000000000001421194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.420{69CF5F33-1898-6154-0400-00000000FE01}412416C:\Windows\System32\smss.exe{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.421{69CF5F33-1898-6154-0500-00000000FE01}420C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{69CF5F33-1898-6154-0400-00000000FE01}412C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 00000078 0000007c 10341000x80000000000000001421192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.295{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}412C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001421191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.295{69CF5F33-1895-6154-0200-00000000FE01}324332C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}412C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:12.300{69CF5F33-1898-6154-0400-00000000FE01}412C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 00000078 0000007c C:\Windows\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{69CF5F33-1895-6154-0200-00000000FE01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001421189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.498{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x80000000000000001421188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:10.482{69CF5F33-1895-6154-0200-00000000FE01}324328C:\Windows\System32\smss.exe{69CF5F33-1896-6154-0300-00000000FE01}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001421187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:10.477{69CF5F33-1896-6154-0300-00000000FE01}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{69CF5F33-1895-6154-0200-00000000FE01}324C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001421186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001421185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001421184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001421183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001421182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001421181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001421180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001421179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001421178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:10.467{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 10341000x80000000000000001422226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.910{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.895{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.895{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.895{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.848{69CF5F33-1899-6154-1100-00000000FE01}9722612C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.836{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.821{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.821{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.820{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.819{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.819{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.819{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.819{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.743{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-4000-00000000FE01}2508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-4000-00000000FE01}2508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.740{69CF5F33-189D-6154-3F00-00000000FE01}29242444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-189D-6154-4000-00000000FE01}2508C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.741{69CF5F33-189D-6154-4000-00000000FE01}2508C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189D-6154-3F00-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000001422200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.736{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3F00-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.733{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.733{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3F00-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.733{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189D-6154-3F00-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.733{69CF5F33-189D-6154-3F00-00000000FE01}2924C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 13241300x80000000000000001422187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:17.707{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000434) 10341000x80000000000000001422186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.691{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.691{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3C00-00000000FE01}3044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.687{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.686{69CF5F33-189D-6154-3C00-00000000FE01}30443056C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.676{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.675{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.664{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.662{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.661{69CF5F33-189D-6154-3B00-00000000FE01}29322672C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.649{69CF5F33-189D-6154-3E00-00000000FE01}2888C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001422168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.547{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.547{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3D00-00000000FE01}3024C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.538{69CF5F33-189A-6154-1B00-00000000FE01}19322236C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 154100x80000000000000001422155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.304{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=26B76A159CC149F82352B4A99601043A,SHA256=B7EF09E159A17072EF7A93D8B1369902C851B5C40404F44EB802A83131708B2F,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001422154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.427{69CF5F33-189D-6154-3A00-00000000FE01}29762948C:\Windows\system32\wbem\wmiprvse.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\combase.dll+ac312|C:\Windows\System32\combase.dll+acc3e|C:\Windows\System32\combase.dll+ac9ff|C:\Windows\System32\combase.dll+2f2c8|C:\Windows\System32\combase.dll+2eee0|C:\Windows\System32\combase.dll+3bf47|C:\Windows\System32\combase.dll+c2774|C:\Windows\System32\combase.dll+38f61|C:\Windows\System32\combase.dll+3a760|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 13241300x80000000000000001422153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:17.427{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001422152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3C00-00000000FE01}3044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3C00-00000000FE01}3044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.411{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189D-6154-3C00-00000000FE01}3044C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.413{69CF5F33-189D-6154-3C00-00000000FE01}3044C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001422139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.379{69CF5F33-189D-6154-3900-00000000FE01}24762468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.200{69CF5F33-1899-6154-1100-00000000FE01}9722612C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.200{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.184{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3900-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3900-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.136{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189D-6154-3900-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.144{69CF5F33-189D-6154-3900-00000000FE01}2476C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001422121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-189D-6154-3700-00000000FE01}26762712C:\Windows\system32\cmd.exe{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.128{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{69CF5F33-189D-6154-3700-00000000FE01}2676C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001422108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189D-6154-3700-00000000FE01}2676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189D-6154-3700-00000000FE01}2676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-189D-6154-3700-00000000FE01}2676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.121{69CF5F33-189D-6154-3700-00000000FE01}2676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.074{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.041{69CF5F33-189C-6154-3600-00000000FE01}28002708C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189E-6154-4600-00000000FE01}3392C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001422310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:18.786{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000435) 10341000x80000000000000001422309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189E-6154-4600-00000000FE01}3392C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-189E-6154-4500-00000000FE01}33723376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-189E-6154-4600-00000000FE01}3392C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.786{69CF5F33-189E-6154-4600-00000000FE01}3392C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189E-6154-4500-00000000FE01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000001422297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.758{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189E-6154-4500-00000000FE01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189E-6154-4500-00000000FE01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.738{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189E-6154-4500-00000000FE01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.752{69CF5F33-189E-6154-4500-00000000FE01}3372C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 354300x80000000000000001422284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.195{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-34712-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001422283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.018{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.15win-host-542.attackrange.local137netbios-ns 354300x80000000000000001422282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:16.018{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000001422281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.995{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-50235-truea00:10e:0:0:0:0:0:0-53domain 10341000x80000000000000001422280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.691{69CF5F33-189E-6154-4300-00000000FE01}32163220C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:18.658{69CF5F33-189E-6154-4400-00000000FE01}3236\PSHost.132773748784123852.3236.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001422278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.643{69CF5F33-189E-6154-4400-00000000FE01}3236NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_1worcyjw.fa5.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.643{69CF5F33-189E-6154-4400-00000000FE01}3236NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_zp25ucmy.ohs.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001422276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:18.516{69CF5F33-189B-6154-2000-00000000FE01}2252\PSHost.132773748753338835.2252.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000001422275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:18.516{69CF5F33-189B-6154-2200-00000000FE01}2328\PSHost.132773748754738690.2328.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 11241100x80000000000000001422274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.470{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_zp25ucmy.ohs.ps12021-09-29 07:41:18.470 10341000x80000000000000001422273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.454{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.416{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.413{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.412{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.412{69CF5F33-189D-6154-3B00-00000000FE01}29322916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.412{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.370{69CF5F33-189B-6154-2000-00000000FE01}2252NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_sfxzdsyy.ofm.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.370{69CF5F33-189B-6154-2200-00000000FE01}2328NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_j45u5ahw.oc2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.370{69CF5F33-189B-6154-2000-00000000FE01}2252NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_na3mxiti.td3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.370{69CF5F33-189B-6154-2200-00000000FE01}2328NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_saurustk.hak.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsefalse - rename failed with status 0xc0000022 10341000x80000000000000001422255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189E-6154-4300-00000000FE01}3216C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189E-6154-4300-00000000FE01}3216C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-189E-6154-4200-00000000FE01}31963200C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-189E-6154-4300-00000000FE01}3216C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.270{69CF5F33-189E-6154-4300-00000000FE01}3216C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189E-6154-4200-00000000FE01}3196C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000001422242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189E-6154-4200-00000000FE01}3196C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189E-6154-4200-00000000FE01}3196C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.259{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189E-6154-4200-00000000FE01}3196C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.260{69CF5F33-189E-6154-4200-00000000FE01}3196C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001422229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.049{69CF5F33-189D-6154-4000-00000000FE01}25082468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001422228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.039{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_saurustk.hak.ps12021-09-29 07:41:18.039 11241100x80000000000000001422227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.039{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_na3mxiti.td3.ps12021-09-29 07:41:18.039 11241100x80000000000000001422387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localEXE2021-09-29 07:41:19.986{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2021-09-23 08:27:33.924 23542300x80000000000000001422386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.986{69CF5F33-189B-6154-2200-00000000FE01}2328NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exeMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545falsetrue 10341000x80000000000000001422385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.908{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189F-6154-4A00-00000000FE01}3568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189F-6154-4A00-00000000FE01}3568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.892{69CF5F33-189F-6154-4900-00000000FE01}35483552C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-189F-6154-4A00-00000000FE01}3568C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.895{69CF5F33-189F-6154-4A00-00000000FE01}3568C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189F-6154-4900-00000000FE01}3548C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000001422372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189F-6154-4900-00000000FE01}3548C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.846{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-189F-6154-4900-00000000FE01}3548C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.830{69CF5F33-189F-6154-4800-00000000FE01}35363540C:\Windows\system32\cmd.exe{69CF5F33-189F-6154-4900-00000000FE01}3548C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.842{69CF5F33-189F-6154-4900-00000000FE01}3548C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-189F-6154-4800-00000000FE01}3536C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000001422359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.814{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189F-6154-4800-00000000FE01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-189F-6154-4800-00000000FE01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.799{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189F-6154-4800-00000000FE01}3536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.803{69CF5F33-189F-6154-4800-00000000FE01}3536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 354300x80000000000000001422346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.407{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49683-false169.254.169.254-80http 354300x80000000000000001422345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:18.406{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49682-false169.254.169.254-80http 354300x80000000000000001422344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.787{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49681-false169.254.169.254-80http 354300x80000000000000001422343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.701{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49680-false169.254.169.254-80http 354300x80000000000000001422342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.645{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49679-false169.254.169.254-80http 354300x80000000000000001422341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.639{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49678-false169.254.169.254-80http 354300x80000000000000001422340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.638{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49677-false169.254.169.254-80http 354300x80000000000000001422339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.636{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49676-false169.254.169.254-80http 354300x80000000000000001422338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.635{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49675-false169.254.169.254-80http 354300x80000000000000001422337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.629{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49674-false169.254.169.254-80http 354300x80000000000000001422336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.628{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49673-false169.254.169.254-80http 354300x80000000000000001422335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:17.379{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000001422334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.720{69CF5F33-189F-6154-4700-00000000FE01}3484NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=F99EB99B42B449211242458F3B62155C,SHA256=73D73616DE79DFE89F120499205D49EBFEB2B330472F2CE8305F12FC4438142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189F-6154-4700-00000000FE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.658{69CF5F33-189F-6154-4700-00000000FE01}34843488C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-189F-6154-4700-00000000FE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-189F-6154-4700-00000000FE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.328{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-189F-6154-4700-00000000FE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.341{69CF5F33-189F-6154-4700-00000000FE01}3484C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001422318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.281{69CF5F33-189E-6154-4600-00000000FE01}33923396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.155{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.155{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.140{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.140{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2000-00000000FE01}2252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.124{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:19.124{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189E-6154-4400-00000000FE01}3236C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.973{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-5300-00000000FE01}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-5300-00000000FE01}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.957{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A0-6154-5300-00000000FE01}3948C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.966{69CF5F33-18A0-6154-5300-00000000FE01}3948C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.895{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.895{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:20.856{69CF5F33-18A0-6154-5200-00000000FE01}3848\PSHost.132773748807593273.3848.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001422511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.825{69CF5F33-18A0-6154-5200-00000000FE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tlvqmcy4.eua.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.809{69CF5F33-18A0-6154-5200-00000000FE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_qsgc243n.fi3.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001422509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.809{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_qsgc243n.fi3.ps12021-09-29 07:41:20.809 10341000x80000000000000001422508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.793{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.762{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.761{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.761{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.761{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.761{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.760{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.760{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.760{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.760{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.760{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.759{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.759{69CF5F33-189D-6154-3B00-00000000FE01}29322920C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.759{69CF5F33-18A0-6154-5200-00000000FE01}3848C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.714{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=F99EB99B42B449211242458F3B62155C,SHA256=73D73616DE79DFE89F120499205D49EBFEB2B330472F2CE8305F12FC4438142A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.699{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.699{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.695{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.687{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.686{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.685{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.685{69CF5F33-189D-6154-3B00-00000000FE01}29322916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.685{69CF5F33-18A0-6154-5100-00000000FE01}3812C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.650{69CF5F33-18A0-6154-4B00-00000000FE01}3604NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.637{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-5000-00000000FE01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-5000-00000000FE01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-18A0-6154-4F00-00000000FE01}37643768C:\Windows\system32\cmd.exe{69CF5F33-18A0-6154-5000-00000000FE01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.634{69CF5F33-18A0-6154-5000-00000000FE01}3784C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{69CF5F33-18A0-6154-4F00-00000000FE01}3764C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000001422463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.621{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-4F00-00000000FE01}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-4F00-00000000FE01}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A0-6154-4F00-00000000FE01}3764C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.612{69CF5F33-18A0-6154-4F00-00000000FE01}3764C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001422450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.606{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.575{69CF5F33-18A0-6154-4E00-00000000FE01}37083712C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.324{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.324{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:20.293{69CF5F33-18A0-6154-4B00-00000000FE01}3604\PSHost.132773748801825723.3604.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001422445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.293{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-4E00-00000000FE01}3708C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-4E00-00000000FE01}3708C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-18A0-6154-4D00-00000000FE01}36883692C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{69CF5F33-18A0-6154-4E00-00000000FE01}3708C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.290{69CF5F33-18A0-6154-4E00-00000000FE01}3708C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{69CF5F33-18A0-6154-4D00-00000000FE01}3688C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001422432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-4D00-00000000FE01}3688C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001422422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-18A0-6154-4B00-00000000FE01}3604NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_o0nnk5cd.4xc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-4D00-00000000FE01}3688C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-18A0-6154-4C00-00000000FE01}36763680C:\Windows\system32\cmd.exe{69CF5F33-18A0-6154-4D00-00000000FE01}3688C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.280{69CF5F33-18A0-6154-4D00-00000000FE01}3688C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{69CF5F33-18A0-6154-4C00-00000000FE01}3676C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001422418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001422409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.277{69CF5F33-18A0-6154-4B00-00000000FE01}3604NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ofahd1do.moe.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.262{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-4C00-00000000FE01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.262{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-4C00-00000000FE01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.262{69CF5F33-189D-6154-3800-00000000FE01}27042668C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{69CF5F33-18A0-6154-4C00-00000000FE01}3676C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.272{69CF5F33-18A0-6154-4C00-00000000FE01}3676C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189D-6154-3800-00000000FE01}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 11241100x80000000000000001422404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.247{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ofahd1do.moe.ps12021-09-29 07:41:20.247 10341000x80000000000000001422403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.215{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.215{69CF5F33-189F-6154-4A00-00000000FE01}35683572C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.194{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.185{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.185{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.185{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.184{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.182{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.182{69CF5F33-189D-6154-3B00-00000000FE01}29322920C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.182{69CF5F33-18A0-6154-4B00-00000000FE01}3604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:20.147{69CF5F33-189E-6154-4400-00000000FE01}3236NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5F00-00000000FE01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5F00-00000000FE01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.953{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5F00-00000000FE01}3360C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.957{69CF5F33-18A1-6154-5F00-00000000FE01}3360C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5E00-00000000FE01}3296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5E00-00000000FE01}3296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.846{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5E00-00000000FE01}3296C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.848{69CF5F33-18A1-6154-5E00-00000000FE01}3296C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.812{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.812{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:21.781{69CF5F33-18A1-6154-5C00-00000000FE01}3400\PSHost.132773748816907231.3400.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001422708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.765{69CF5F33-18A1-6154-5C00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_dkwd3zef.o2m.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.765{69CF5F33-18A1-6154-5C00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jxvluimo.rvk.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001422706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.749{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_jxvluimo.rvk.ps12021-09-29 07:41:21.749 10341000x80000000000000001422705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5D00-00000000FE01}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5D00-00000000FE01}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.734{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5D00-00000000FE01}3532C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.737{69CF5F33-18A1-6154-5D00-00000000FE01}3532C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.718{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.694{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.692{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.692{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.692{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.691{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.690{69CF5F33-189D-6154-3B00-00000000FE01}29322920C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.690{69CF5F33-18A1-6154-5C00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001422678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.641{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.641{69CF5F33-1898-6154-0B00-00000000FE01}6362412C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5B00-00000000FE01}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.631{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.630{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.630{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.629{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5B00-00000000FE01}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5B00-00000000FE01}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-18A1-6154-5B00-00000000FE01}3224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.628{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.627{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.627{69CF5F33-189D-6154-3B00-00000000FE01}29322916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.627{69CF5F33-18A1-6154-5A00-00000000FE01}3232C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.599{69CF5F33-18A1-6154-5500-00000000FE01}4004NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5900-00000000FE01}3312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5900-00000000FE01}3312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.523{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5900-00000000FE01}3312C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.525{69CF5F33-18A1-6154-5900-00000000FE01}3312C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001422635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.491{69CF5F33-189B-6154-2000-00000000FE01}2252NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5800-00000000FE01}2884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5800-00000000FE01}2884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.412{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5800-00000000FE01}2884C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.414{69CF5F33-18A1-6154-5800-00000000FE01}2884C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\system32\wbem\unsecapp.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1D00-00000000FE01}1960C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1800-00000000FE01}1688C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-0D00-00000000FE01}792C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.396{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2200-00000000FE01}2328C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1A00-00000000FE01}1900C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.381{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189D-6154-3D00-00000000FE01}3024C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2B00-00000000FE01}2832C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2600-00000000FE01}2504C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2300-00000000FE01}2336C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2100-00000000FE01}2264C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.365{69CF5F33-189B-6154-2000-00000000FE01}22523468C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{69CF5F33-189A-6154-1B00-00000000FE01}1932C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF858829991) 10341000x80000000000000001422587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5700-00000000FE01}2928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5700-00000000FE01}2928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.301{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5700-00000000FE01}2928C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.304{69CF5F33-18A1-6154-5700-00000000FE01}2928C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.286{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.286{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:21.270{69CF5F33-18A1-6154-5500-00000000FE01}4004\PSHost.132773748811857065.4004.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001422571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.254{69CF5F33-18A1-6154-5500-00000000FE01}4004NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_nflww4ok.cvb.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.254{69CF5F33-18A1-6154-5500-00000000FE01}4004NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_c1dh33a4.kjq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001422569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.239{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_c1dh33a4.kjq.ps12021-09-29 07:41:21.239 10341000x80000000000000001422568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.223{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.200{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5600-00000000FE01}4028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.199{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.199{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.197{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5600-00000000FE01}4028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.197{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5600-00000000FE01}4028C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.198{69CF5F33-18A1-6154-5600-00000000FE01}4028C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.192{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.189{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.186{69CF5F33-189D-6154-3B00-00000000FE01}29322916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 10341000x80000000000000001422551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.187{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.185{69CF5F33-18A1-6154-5500-00000000FE01}4004C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\AwsNitroEnclaves'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.161{69CF5F33-18A0-6154-5200-00000000FE01}3848NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A1-6154-5400-00000000FE01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A1-6154-5400-00000000FE01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.073{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A1-6154-5400-00000000FE01}3980C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:21.078{69CF5F33-18A1-6154-5400-00000000FE01}3980C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A2-6154-6000-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.797{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.781{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A2-6154-6000-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.781{69CF5F33-189A-6154-1C00-00000000FE01}19402828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A2-6154-6000-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.070{69CF5F33-18A2-6154-6000-00000000FE01}1812C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001422759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.704{69CF5F33-18A2-6154-6100-00000000FE01}3572NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001422758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.362{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.362{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001422756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:22.330{69CF5F33-18A2-6154-6100-00000000FE01}3572\PSHost.132773748822549566.3572.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001422755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.315{69CF5F33-18A2-6154-6100-00000000FE01}3572NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_4mcbnkhi.fj1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.315{69CF5F33-18A2-6154-6100-00000000FE01}3572NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tgwyghbt.v25.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001422753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.315{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tgwyghbt.v25.ps12021-09-29 07:41:22.315 10341000x80000000000000001422752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.284{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.259{69CF5F33-189D-6154-3D00-00000000FE01}30243008C:\Windows\system32\conhost.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.255{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.254{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.254{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.254{69CF5F33-189D-6154-3B00-00000000FE01}29322916C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001422739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.254{69CF5F33-18A2-6154-6100-00000000FE01}3572C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001422738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:22.234{69CF5F33-18A1-6154-5C00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:23.734{69CF5F33-189B-6154-2200-00000000FE01}2328NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001422774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:41:24.094{69CF5F33-1899-6154-1400-00000000FE01}368\W32TIME_ALTC:\Windows\system32\svchost.exe 10341000x80000000000000001422785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:25.969{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001422809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.501{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001422808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.501{69CF5F33-189A-6154-1500-00000000FE01}1056_ldap._tcp.dc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001422807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:24.102{69CF5F33-1898-6154-0B00-00000000FE01}636win-host-542010.0.1.15;C:\Windows\System32\lsass.exe 10341000x80000000000000001422806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.891{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.875{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.876{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001422793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:26.500{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{FDCF54B6-F940-4B24-98D1-F78647E58331}\DateLastConnectedBinary Data 10341000x80000000000000001422792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001422789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.438{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=D873564D5CD0ACC59EBC04C268865355,SHA256=3BB6BE4756B513FD0A4055858DBD3CE858DA6B368D47345CE1B5F5CC4A511946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.438{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=719D576D7705DFC08B0046179A61ED9F,SHA256=D87416273CE0E408FC64A0ECEBACF7543BA15D0789883BEC26A19C7CD68128FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.422{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=7E69B6FACFB716DBA7BC3695033F140C,SHA256=4419C9085C7D6B4C83FEF14A0C41E443F26FE0BBD38B09CBDFBCFEE819890F39,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001422786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:24.096{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse169.254.169.123-123ntp 10341000x80000000000000001422835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.844{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-18A7-6154-6400-00000000FE01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A7-6154-6400-00000000FE01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A7-6154-6400-00000000FE01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.781{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A7-6154-6400-00000000FE01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.579{69CF5F33-18A7-6154-6400-00000000FE01}2888C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.016{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A8-6154-6500-00000000FE01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18A8-6154-6500-00000000FE01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A8-6154-6500-00000000FE01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.641{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.445{69CF5F33-18A8-6154-6500-00000000FE01}3176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.203{69CF5F33-18A6-6154-6300-00000000FE01}39804000C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+2016cb|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6e213|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001422847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.203{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x80000000000000001422846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.203{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000001422845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.203{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 13241300x80000000000000001422844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.188{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\DisplayNamenpf 13241300x80000000000000001422843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT1031,T1050SetValue2021-09-29 07:41:28.188{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ImagePath\??\C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sys 13241300x80000000000000001422842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.188{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\ErrorControlDWORD (0x00000001) 13241300x80000000000000001422841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT1031,T1050SetValue2021-09-29 07:41:28.188{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\StartDWORD (0x00000003) 13241300x80000000000000001422840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:28.188{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\npf\TypeDWORD (0x00000001) 22542200x80000000000000001422839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.547{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001422838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.657{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001422837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.610{69CF5F33-1899-6154-1400-00000000FE01}368wpad1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001422836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:26.610{69CF5F33-189A-6154-1500-00000000FE01}1056www.msftconnecttest.com1460-C:\Windows\System32\svchost.exe 10341000x80000000000000001422890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.735{69CF5F33-18A9-6154-6600-00000000FE01}34363124C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.531{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.516{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18A9-6154-6600-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18A9-6154-6600-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.500{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18A9-6154-6600-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.336{69CF5F33-18A9-6154-6600-00000000FE01}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001422864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.203{69CF5F33-1899-6154-1200-00000000FE01}1020NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDD51AA.tmpMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtruetrue 23542300x80000000000000001422863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.188{69CF5F33-1899-6154-1200-00000000FE01}1020NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\Temp\UDD51AA.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001422862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.112{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-49142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001422905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AA-6154-6700-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18AA-6154-6700-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.438{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AA-6154-6700-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.227{69CF5F33-18AA-6154-6700-00000000FE01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001422892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.766{69CF5F33-1899-6154-1100-00000000FE01}972isatap.eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001422891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:27.723{69CF5F33-18A6-6154-6300-00000000FE01}3980win-host-5420fe80::e060:eede:318:987a;::ffff:10.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 354300x80000000000000001422932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.557{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-52206-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001422931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001422930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001422929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001422928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000000) 13241300x80000000000000001422927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001422926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001422925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001422924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001422923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001422922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001422921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001422920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:31.500{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 10341000x80000000000000001422919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AB-6154-6800-00000000FE01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18AB-6154-6800-00000000FE01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.297{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AB-6154-6800-00000000FE01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.118{69CF5F33-18AB-6154-6800-00000000FE01}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001422906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:29.485{69CF5F33-18A6-6154-6300-00000000FE01}3980win-host-542.attackrange.local010.0.1.15;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000001422961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AC-6154-6A00-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18AC-6154-6A00-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.891{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AC-6154-6A00-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.892{69CF5F33-18AC-6154-6A00-00000000FE01}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001422948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.532{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:88d1:47ea:8a92:ffff-63869-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001422947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:30.532{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:e060:eede:318:987awin-host-542.attackrange.local63869-trueff02:0:0:0:0:0:1:3-5355llmnr 10341000x80000000000000001422946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.531{69CF5F33-18AC-6154-6900-00000000FE01}40204016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AC-6154-6900-00000000FE01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18AC-6154-6900-00000000FE01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.188{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AC-6154-6900-00000000FE01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:32.010{69CF5F33-18AC-6154-6900-00000000FE01}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001422977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.734{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AD-6154-6B00-00000000FE01}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.734{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18AD-6154-6B00-00000000FE01}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.734{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AD-6154-6B00-00000000FE01}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.398{69CF5F33-18AD-6154-6B00-00000000FE01}3052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000001422964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:09.373C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 22542200x80000000000000001422963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:31.510{69CF5F33-189A-6154-1500-00000000FE01}1056win-host-542.attackrange.local1460-C:\Windows\System32\svchost.exe 10341000x80000000000000001422962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:33.109{69CF5F33-18AC-6154-6A00-00000000FE01}17002468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.985{69CF5F33-18AE-6154-6C00-00000000FE01}33643404C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AE-6154-6C00-00000000FE01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.766{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18AE-6154-6C00-00000000FE01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001422984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.781{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001422982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.766{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AE-6154-6C00-00000000FE01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.547{69CF5F33-18AE-6154-6C00-00000000FE01}3364C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000001422980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:11.623C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 10341000x80000000000000001422979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:34.016{69CF5F33-18AD-6154-6B00-00000000FE01}30524008C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 644600x80000000000000001422978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:09.748C:\Windows\System32\drivers\ena.sysMD5=C593555FD929A6FA925129109C08FC65,SHA256=5ADD00C93BE0C3E978DA48DED964A54F730B40F98C72D3F6145D79E3BFE8364D,IMPHASH=FB370D8374B216430C11D17F479694B1trueAmazon Web Services, Inc.Valid 10341000x80000000000000001423011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18AF-6154-6D00-00000000FE01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18AF-6154-6D00-00000000FE01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.656{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18AF-6154-6D00-00000000FE01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001422999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.467{69CF5F33-18AF-6154-6D00-00000000FE01}3284C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x80000000000000001422998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:13.045{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001422997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.172{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AC6A66672678731BD0C0551C4758AB8D,SHA256=3C54B6D3A487F609127926F0665EA50584A099E01D4FD46D584C9E31C5DFBA8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.156{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=03AB6B1D0569DE0CE2FC42916740BC41,SHA256=43BA02DB45CA7029FD8E9F88CA044FDDDAF3A84E45A2F4EBC7D6052A05760443,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001422995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:35.016{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F11628551EA5647B029CE3596886725A,SHA256=E6636A64B15E72749365EF6093942FA8164A9F9108CE47D01C42A9980B677EF0,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001423014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.266{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.1460-C:\Windows\System32\lsass.exe 13241300x80000000000000001423013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:38.562{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{fdcf54b6-f940-4b24-98d1-f78647e58331}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001423012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:38.562{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{fdcf54b6-f940-4b24-98d1-f78647e58331}\LastProbeTimeDWORD (0x615418b2) 22542200x80000000000000001423020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.704{69CF5F33-1898-6154-0B00-00000000FE01}636_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001423019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.563{69CF5F33-189A-6154-1500-00000000FE01}1056eu-central-1.compute.internal1223-C:\Windows\System32\svchost.exe 22542200x80000000000000001423018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.563{69CF5F33-189A-6154-1500-00000000FE01}1056eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001423017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.563{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.eu-central-1.compute.internal.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001423016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:38.563{69CF5F33-189A-6154-1500-00000000FE01}1056ijhyomszsw1460-C:\Windows\System32\svchost.exe 13241300x80000000000000001423015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:39.609{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 22542200x80000000000000001423021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:39.610{69CF5F33-1899-6154-1100-00000000FE01}972win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 354300x80000000000000001423022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:39.144{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-6324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:41.258{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-9279-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:41.491{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-9565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001423024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:44.406{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001423068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.812{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.672{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1700-00000000FE01}1284C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.672{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001423064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-1100-00000000FE01}9721568C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-1100-00000000FE01}9721192C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-1100-00000000FE01}9721568C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-1100-00000000FE01}9721192C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0900-00000000FE01}576C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\samsrv.dll+35cb|C:\Windows\SYSTEM32\samsrv.dll+32b7|C:\Windows\SYSTEM32\samsrv.dll+31dc|C:\Windows\SYSTEM32\samsrv.dll+315e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\samsrv.dll+35cb|C:\Windows\SYSTEM32\samsrv.dll+3465|C:\Windows\SYSTEM32\samsrv.dll+3403|C:\Windows\SYSTEM32\samsrv.dll+3226|C:\Windows\SYSTEM32\samsrv.dll+314b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1898-6154-0B00-00000000FE01}6362384C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\samsrv.dll+3ca9|C:\Windows\SYSTEM32\samsrv.dll+3ab3|C:\Windows\SYSTEM32\samsrv.dll+311f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.656{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.623{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Leave)Binary Data 10341000x80000000000000001514585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:27.623{5EBD8912-1892-6154-0200-00000000FE01}320324C:\Windows\System32\smss.exe{5EBD8912-18A7-6154-0300-00000000FE01}364C:\Windows\system32\autochk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+4f84|\SystemRoot\System32\smss.exe+20b6|\SystemRoot\System32\smss.exe+65b2|\SystemRoot\System32\smss.exe+a3bb|\SystemRoot\System32\smss.exe+1652|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:27.610{5EBD8912-18A7-6154-0300-00000000FE01}364C:\Windows\System32\autochk.exe10.0.14393.4350 (rs1_release.210407-2154)Auto Check UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationAutoChk.Exe\??\C:\Windows\system32\autochk.exe /q /v *C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=A512733E2C767F87A8029400B4A48CD0,SHA256=1ED75EB59C2897304E0160E0605071178418802C31910D78A2076B0414047875,IMPHASH=1BF5E4792E849FE3BCFE23E7C1B21A3F{5EBD8912-1892-6154-0200-00000000FE01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 13241300x80000000000000001514583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.607{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001514582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001514581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001514580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001514579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001514578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001514577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001514576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001514575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:27.592{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\VSS\Diag\VolSnap\VolumesSafeForWrite (Enter)Binary Data 13241300x80000000000000001514574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001514573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001514572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\SMBiosDataBinary Data 13241300x80000000000000001514571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001514570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\NdisVirtualBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5d2d1ccc) 13241300x80000000000000001514569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.342{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\gencounter\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5d2d1ccc) 13241300x80000000000000001514568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.326{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\intelppm\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5d2abb08) 13241300x80000000000000001514567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.310{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000014) 13241300x80000000000000001514566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.310{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000014) 13241300x80000000000000001514565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.310{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\19LPTENUM\MicrosoftRawPort\5&dde82d&0&LPT1 12241200x80000000000000001514564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:07.107{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalled 13241300x80000000000000001514563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.107{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Parport\ModeCheckedStalledDWORD (0x00002f89) 13241300x80000000000000001514562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.107{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5d09593e) 13241300x80000000000000001514561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.107{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\CompositeBus\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x5d09593e) 13241300x80000000000000001514560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.030{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.030{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001514558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.030{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMinorVersionDWORD (0x00000032) 13241300x80000000000000001514557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:07.030{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\ena\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.998{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Parameters\WppRecorder_TraceGuid{09281f1f-f66e-485a-99a2-91638f782c49} 13241300x80000000000000001514555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.982{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\i8042prt\Parameters\WppRecorder_TraceGuid{7ffb8eb8-2c86-45d6-a7c5-c023d9c070c1} 13241300x80000000000000001514554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.920{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\BiosDataBinary Data 13241300x80000000000000001514553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.920{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\RegistersDataBinary Data 13241300x80000000000000001514552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.920{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mssmbios\Data\AcpiDataBinary Data 13241300x80000000000000001514551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001514549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001514548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\Psched\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001514545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMinorVersionDWORD (0x00000028) 13241300x80000000000000001514544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.888{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\RDMANDK\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:06.717{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\cdrom\Parameters\WppRecorder_TraceGuid{a4196372-c3c4-42d5-87bf-7edb2e9bcc27} 13241300x80000000000000001514542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001514541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\CountDWORD (0x00000001) 13241300x80000000000000001514540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volsnap\Enum\0STORAGE\Volume\{063c67cf-1c3b-11ec-ab2e-806e6f6e6963}#0000000000100000 13241300x80000000000000001514539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001514538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\CountDWORD (0x00000001) 13241300x80000000000000001514537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:05.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\volume\Enum\0STORAGE\Volume\{063c67cf-1c3b-11ec-ab2e-806e6f6e6963}#0000000000100000 434400x80000000000000001514536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local2021-09-29 07:41:45.583Started13.014.50 10341000x80000000000000001515681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.923{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18A9-6154-0A00-00000000FE01}632304C:\Windows\system32\services.exe{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.876{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.860{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.860{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.858{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationvds.exeC:\Windows\System32\vds.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F43B67F8FB870A731294662603690C2F,SHA256=9707255C9778F9A8135BAA4F1A16FAC9EBF2991FD6AF937B232D5FA52D14AC33,IMPHASH=3F541E0A1D775ACA4A7D5FBDFF8433C5{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 23542300x80000000000000001515631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.858{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-000MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001515630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BA-6154-3E00-00000000FE01}3496C:\Windows\System32\vdsldr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.842{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.827{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.826{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3E00-00000000FE01}3496C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BA-6154-3E00-00000000FE01}3496C:\Windows\System32\vdsldr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.825{5EBD8912-18BA-6154-3E00-00000000FE01}3496C:\Windows\System32\vdsldr.exe10.0.14393.4169 (rs1_release.210107-1130)Virtual Disk Service LoaderMicrosoft® Windows® Operating SystemMicrosoft Corporationvdsldr.exeC:\Windows\System32\vdsldr.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B344B812DD6C294360563E52B2EF1C13,SHA256=0A4CA31848D7513F97F72D0292F5BBEE1CA409AAFFCACDE5369E12003B34118D,IMPHASH=D6207B24445355CEA1AC6C8E9A2BA2B9{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001515577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3D00-00000000FE01}3464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001515567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18B9-6154-2F00-00000000FE01}2408NT AUTHORITY\SYSTEMC:\Windows\system32\DFSRs.exeC:\Windows\debug\Dfsr00005.logMD5=305C64460F33A163BD657A6AEB48E7A4,SHA256=0D19D7AE3ABD4FEFFD6B759BCC0E28C0220D03F4D795BDA9D441C001ED941528,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001515566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3D00-00000000FE01}3464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18BA-6154-3C00-00000000FE01}34443448C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BA-6154-3D00-00000000FE01}3464C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.817{5EBD8912-18BA-6154-3D00-00000000FE01}3464C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BA-6154-3C00-00000000FE01}3444C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001515563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3C00-00000000FE01}3444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3C00-00000000FE01}3444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18BA-6154-3B00-00000000FE01}34323436C:\Windows\system32\cmd.exe{5EBD8912-18BA-6154-3C00-00000000FE01}3444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.810{5EBD8912-18BA-6154-3C00-00000000FE01}3444C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BA-6154-3B00-00000000FE01}3432C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001515550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.794{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3B00-00000000FE01}3432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.794{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3B00-00000000FE01}3432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.794{5EBD8912-18BA-6154-3700-00000000FE01}33363340C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BA-6154-3B00-00000000FE01}3432C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14738|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.805{5EBD8912-18BA-6154-3B00-00000000FE01}3432C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001515546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.779{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.732{5EBD8912-18BA-6154-3A00-00000000FE01}33963400C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.684{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.668{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.652{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.637{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.621{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.606{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.589{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.573{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.558{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.489{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.489{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.489{5EBD8912-18BA-6154-3900-00000000FE01}33763380C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{00000000-0000-0000-0000-000000000000}3396C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.495{5EBD8912-18BA-6154-3A00-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BA-6154-3900-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool web list settings --no-log 10341000x80000000000000001515397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.489{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3900-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.473{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.473{00000000-0000-0000-0000-000000000000}33563360C:\Windows\system32\cmd.exe{00000000-0000-0000-0000-000000000000}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.486{5EBD8912-18BA-6154-3900-00000000FE01}3376C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BA-6154-3800-00000000FE01}3356C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool web list settings --no-log 10341000x80000000000000001515393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.473{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{00000000-0000-0000-0000-000000000000}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.473{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.473{5EBD8912-18BA-6154-3700-00000000FE01}33363340C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{00000000-0000-0000-0000-000000000000}3356C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+146d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.478{5EBD8912-18BA-6154-3800-00000000FE01}3356C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool web list settings --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001515389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18BA-6154-3600-00000000FE01}33243328C:\Windows\system32\cmd.exe{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.465{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-18BA-6154-3600-00000000FE01}3324C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001515385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3600-00000000FE01}3324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3600-00000000FE01}3324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.458{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BA-6154-3600-00000000FE01}3324C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7d48|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.460{5EBD8912-18BA-6154-3600-00000000FE01}3324C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_argsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001515381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.442{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:46.442{5EBD8912-18A9-6154-0A00-00000000FE01}632\Winsock2\CatalogChangeListener-278-0C:\Windows\system32\services.exe 10341000x80000000000000001515379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.442{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3500-00000000FE01}3292C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.442{5EBD8912-18A9-6154-0A00-00000000FE01}632304C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.411{5EBD8912-18BA-6154-3300-00000000FE01}32323252C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3400-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.411{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BA-6154-3400-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.411{5EBD8912-18BA-6154-3200-00000000FE01}32243228C:\Windows\system32\cmd.exe{5EBD8912-18BA-6154-3400-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.408{5EBD8912-18BA-6154-3400-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-18BA-6154-3200-00000000FE01}3224C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvars 10341000x80000000000000001515364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.395{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.394{5EBD8912-18BA-6154-3300-00000000FE01}32323252C:\Windows\system32\conhost.exe{5EBD8912-18BA-6154-3200-00000000FE01}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.378{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.332{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.332{5EBD8912-18B9-6154-2900-00000000FE01}29602964C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{00000000-0000-0000-0000-000000000000}3224C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2b15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.337{5EBD8912-18BA-6154-3200-00000000FE01}3224C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _RAW_envvarsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001515341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.252{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.237{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.205{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.174{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.142{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.919{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.919{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.158{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" serviceC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.890{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.873{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.873{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.663{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.663{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:45.647{5EBD8912-18AC-6154-1600-00000000FE01}1272\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDERC:\Windows\system32\svchost.exe 10341000x80000000000000001515209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.583{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.583{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.583{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.583{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.521{5EBD8912-18A9-6154-0A00-00000000FE01}632708C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2800-00000000FE01}2952C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.520{5EBD8912-18B9-6154-2800-00000000FE01}29522352C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001515203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.520{5EBD8912-18B9-6154-2800-00000000FE01}29522352C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 10341000x80000000000000001515202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.520{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.520{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.512{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.512{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.486{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-3100-00000000FE01}2788C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.482{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.478{5EBD8912-18A9-6154-0A00-00000000FE01}632716C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.438{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-3100-00000000FE01}2788C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.438{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-3100-00000000FE01}2788C:\Windows\system32\wbem\unsecapp.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.439{5EBD8912-18B9-6154-3100-00000000FE01}2788C:\Windows\System32\wbem\unsecapp.exe10.0.14393.4169 (rs1_release.210107-1130)Sink to receive asynchronous callbacks for WMI client applicationMicrosoft® Windows® Operating SystemMicrosoft Corporationunsecapp.dllC:\Windows\system32\wbem\unsecapp.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=2443CA5962E2134CB389DCD5056D27AE,SHA256=018FF62BCDC292CF9290DB0574C8EF9C97EBC26933C8FC950DD8E6B2B91972FB,IMPHASH=A3CC49DF67C2278F822C9EBB9908BF09{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 17141700x80000000000000001515192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:45.438{5EBD8912-18B9-6154-3000-00000000FE01}2356\netdfsC:\Windows\system32\dfssvc.exe 10341000x80000000000000001515191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.438{5EBD8912-18A9-6154-0A00-00000000FE01}6322904C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2E00-00000000FE01}2500C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.423{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2800-00000000FE01}2952C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.423{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2800-00000000FE01}2952C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.155{5EBD8912-18B9-6154-2800-00000000FE01}2952C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe-----"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BBAE700ACE8ED78E8ADF1DEFFB197405,SHA256=6A681197092F46092D23CC95FF245F81C1AE7C7F302411757D035CA2908DFB14,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.423{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.423{5EBD8912-18A9-6154-0A00-00000000FE01}632708C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.274{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exe10.0.14393.4169 (rs1_release.210107-1130)Distributed File System ReplicationMicrosoft® Windows® Operating SystemMicrosoft Corporationdfsr.exeC:\Windows\system32\DFSRs.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F2483716D6C752FB448C7295AA3B49A1,SHA256=6B77249159D3C217694B52F0B1C75E0649486EF4A3FE4513CD41D81E7DEB709A,IMPHASH=C1481566D7D03EEC4CC460B52429BA9C{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.392{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:45.392{5EBD8912-18B9-6154-2600-00000000FE01}2856\PSHost.132773749050967103.2856.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001515182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.376{5EBD8912-18A9-6154-0A00-00000000FE01}632696C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.361{5EBD8912-18A9-6154-0A00-00000000FE01}6322892C:\Windows\system32\services.exe{5EBD8912-18B9-6154-3000-00000000FE01}2356C:\Windows\system32\dfssvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.361{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.361{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.345{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-3000-00000000FE01}2356C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.345{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-18B9-6154-3000-00000000FE01}2356C:\Windows\system32\dfssvc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.305{5EBD8912-18B9-6154-3000-00000000FE01}2356C:\Windows\System32\dfssvc.exe10.0.14393.4583 (rs1_release.210730-1850)Windows NT Distributed File System ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdfssvc.exeC:\Windows\system32\dfssvc.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=FC6D2FD94ECCD95AC666A31DE5254628,SHA256=D639C43DA28D49C05B8FCA3BF81575888F46089EC7146E367F64E2274741B8BA,IMPHASH=D38366C43D0F6223104A675303D8E8CB{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.330{5EBD8912-18A9-6154-0A00-00000000FE01}6322908C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.330{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.330{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001515172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.313{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_ikpaf5n2.lpz.ps12021-09-29 07:41:45.313 10341000x80000000000000001515171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.313{5EBD8912-18A9-6154-0A00-00000000FE01}632696C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.302{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2E00-00000000FE01}2500C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.302{5EBD8912-18A9-6154-0A00-00000000FE01}632716C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2E00-00000000FE01}2500C:\Program Files\Amazon\XenTools\LiteAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.273{5EBD8912-18B9-6154-2E00-00000000FE01}2500C:\Program Files\Amazon\XenTools\LiteAgent.exe1.0xenagentXENIFACEAmazon Inc.xenagent.exe"C:\Program Files\Amazon\XenTools\LiteAgent.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=3727559C2C2FE26EE668086FAF992815,SHA256=8130E7A850E0A088CB46F2595F7418CE9D73CE2F7750FC017ABC5CF3DED05F06,IMPHASH=C8B18E9A517CB77EA7AB3E7295D84FE8{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.268{5EBD8912-18A9-6154-0A00-00000000FE01}632724C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.264{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exe10.0.14393.0 (rs1_release.160715-1616)Windows NT Intersite Messaging ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationismserv.exeC:\Windows\System32\ismserv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=39F0EC2CAE7FF38BABDDE2252ACCEA67,SHA256=29BDF4D2040D24E02B830A272D02CF29F19FD4E1A0F54F22BCC76301A0BFD26F,IMPHASH=088F7CD1DAA87B8E05239EDAB00479BB{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0A00-00000000FE01}6322904C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\services.exe+3332|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.167{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-C:\Windows\sysmon64.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.236{5EBD8912-18A9-6154-0A00-00000000FE01}632628C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.174{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exe10.0.14393.4530 (rs1_release.210705-0736)Domain Name System (DNS) ServerMicrosoft® Windows® Operating SystemMicrosoft Corporationdns.exeC:\Windows\system32\dns.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=71B9B942CD20776EF137B04678593EE7,SHA256=A4E7C2A7FFE0CB9E14DE9A77445A0E61CB181D8AC5A45F64571E53996E42362C,IMPHASH=F11D7ACAC98040FCC69808598F92C5FA{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.204{5EBD8912-18A9-6154-0A00-00000000FE01}6322920C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.204{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.204{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.189{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.189{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.173{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.173{5EBD8912-18A9-6154-0A00-00000000FE01}6322912C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.173{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.173{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.157{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.141{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.141{5EBD8912-18A9-6154-0A00-00000000FE01}632304C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.130{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe10.0.14393.4046Microsoft.ActiveDirectory.WebServicesMicrosoft (R) Windows (R) Operating SystemMicrosoft CorporationMicrosoft.ActiveDirectory.WebServices.exeC:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=868245AE57651C1D8889B528A182C81A,SHA256=2BA73582B4334AEDA469B97D528C24CCB2392FD189524198017D59DF4C4F6504,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 13241300x80000000000000001515120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:45.126{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 13241300x80000000000000001515119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:45.126{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001515118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.110{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.110{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.110{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.110{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:45.110{5EBD8912-18B9-6154-2500-00000000FE01}2836\Winsock2\CatalogChangeListener-b14-0C:\Windows\System32\spoolsv.exe 10341000x80000000000000001515113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.107{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.107{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.099{5EBD8912-18B1-6154-2200-00000000FE01}25842604C:\Windows\system32\conhost.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.096{5EBD8912-18A9-6154-0A00-00000000FE01}632716C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.096{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.096{5EBD8912-18B0-6154-2100-00000000FE01}25482636C:\Users\Public\splunkd.exe{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Users\Public\splunkd.exe+5c36e 154100x80000000000000001515107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.096{5EBD8912-18B9-6154-2600-00000000FE01}2856C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell.exe -ExecutionPolicy Bypass -C mxnvdyC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18B0-6154-2100-00000000FE01}2548C:\Users\Public\splunkd.exe"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp 10341000x80000000000000001515106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.080{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.080{5EBD8912-18A9-6154-0A00-00000000FE01}632304C:\Windows\system32\services.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.057{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe10.0.14393.4651 (rs1_release.210911-1554)Spooler SubSystem AppMicrosoft® Windows® Operating SystemMicrosoft Corporationspoolsv.exeC:\Windows\System32\spoolsv.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=0C3141349E7A2F8309DA835E23BE970F,SHA256=463992A62AC5BFFB8808DEAF8A58A8B52A7B0D3230D655CE98EF0B6A03C5A0B7,IMPHASH=EBCD1C1E4D3D83A9A5CC73CADF7A4B4D{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.051{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.051{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.051{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.051{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 534500x80000000000000001515099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.038{5EBD8912-18B0-6154-2000-00000000FE01}2540C:\Users\Public\sandcat.exe 10341000x80000000000000001515098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:43.513{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:43.513{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.778{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.778{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.778{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.778{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.763{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001515080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:41.685{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\GuidBinary Data 12241200x80000000000000001515079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:41.685{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\Guid 10341000x80000000000000001515078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.653{5EBD8912-18A9-6154-0A00-00000000FE01}632628C:\Windows\system32\services.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.653{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.653{5EBD8912-18A9-6154-0A00-00000000FE01}632304C:\Windows\system32\services.exe{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.654{5EBD8912-18B5-6154-2300-00000000FE01}2660C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k smbsvcsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001515074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.638{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.638{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.638{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:41.638{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:41.638{5EBD8912-18AB-6154-0D00-00000000FE01}908\RpcProxy\593C:\Windows\system32\svchost.exe 13241300x80000000000000001515069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:41.638{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 17141700x80000000000000001515068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:41.638{5EBD8912-18A9-6154-0B00-00000000FE01}640\5ec7f05d5bbad410C:\Windows\system32\lsass.exe 17141700x80000000000000001515067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:41.638{5EBD8912-18A9-6154-0B00-00000000FE01}640\RpcProxy\49671C:\Windows\system32\lsass.exe 10341000x80000000000000001515066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:40.403{5EBD8912-18AC-6154-1200-00000000FE01}4521120C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001515065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:40.372{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001515064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001515063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001515062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001515061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000000) 13241300x80000000000000001515060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001515059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001515058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001515057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001515056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001515055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001515054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001515053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:39.341{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001515052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:37.023{5EBD8912-18B1-6154-2200-00000000FE01}25842604C:\Windows\system32\conhost.exe{5EBD8912-18B0-6154-2100-00000000FE01}2548C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:37.013{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B1-6154-2200-00000000FE01}2584C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:37.006{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B0-6154-2100-00000000FE01}2548C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:37.004{5EBD8912-18AC-6154-1800-00000000FE01}19162508-{5EBD8912-18B0-6154-2100-00000000FE01}2548C:\Users\Public\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\shell32.dll+3ccff|C:\Windows\System32\shell32.dll+3cb8c|C:\Windows\System32\shell32.dll+3c8dc|C:\Windows\System32\shell32.dll+e2157|C:\Windows\System32\shell32.dll+e20b5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c01b0|UNKNOWN(0000000000000000)|UNKNOWN(0000000000000000) 154100x80000000000000001515048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.934{5EBD8912-18B0-6154-2100-00000000FE01}2548C:\Users\Public\splunkd.exe-----"C:\Users\Public\splunkd.exe" -socket 10.0.1.12:7010 -http http://10.0.1.12:8888 -contact tcp C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=32E2535A13E90442893737530C4773D1,SHA256=C4A32E14644C0859C895A66C96AECC9647949F8295EADE40ACE7F3EFC597C6F9,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_manx_agent.ps1 10341000x80000000000000001515047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.967{5EBD8912-18AD-6154-1B00-00000000FE01}19962088C:\Windows\system32\conhost.exe{5EBD8912-18B0-6154-2000-00000000FE01}2540C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.967{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18B0-6154-2000-00000000FE01}2540C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.967{5EBD8912-18AD-6154-1900-00000000FE01}19602512C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18B0-6154-2000-00000000FE01}2540C:\Users\Public\sandcat.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4809|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2c4179|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54d90024(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+5421347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+542130b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54cdb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+541d002a(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54233a9c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54215aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54215aab(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+5421593c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+5420665c(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54213b9e(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54213710(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+5421347d(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+542130b8(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+54cdb3e6(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+541f8363(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+541f78d5(wow64) 154100x80000000000000001515044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.896{5EBD8912-18B0-6154-2000-00000000FE01}2540C:\Users\Public\sandcat.exe-----"C:\Users\Public\sandcat.exe" -server http://10.0.1.12:8888 -group my_group -vC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=4AAC4143487A1888FC416C8D6AAA28BF,SHA256=A98ED4833C64FF96AD74F1A76358B1FB947C7BC61502E51624AFE6944982EC93,IMPHASH=1CD364A9E949D5ECEBD6C614E64BC545{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Unrestricted -NonInteractive -File C:\caldera_agent.ps1 11241100x80000000000000001515043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localEXE2021-09-29 07:41:36.842{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\splunkd.exe2021-09-23 08:15:58.405 10341000x80000000000000001515042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.826{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\system32\dwm.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1A00-00000000FE01}2004C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1B00-00000000FE01}1996C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1E00-00000000FE01}1812C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 10341000x80000000000000001515023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.811{5EBD8912-18AC-6154-1800-00000000FE01}19162508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+381e70|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2fa12e|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f956f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f94a6|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2f8620|UNKNOWN(00007FF7F9AF3F61) 13241300x80000000000000001515022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:36.795{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043b) 11241100x80000000000000001515021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localEXE2021-09-29 07:41:36.422{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Public\sandcat.exe2021-09-23 08:15:50.994 10341000x80000000000000001515020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:36.123{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001515008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:35.983{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x80000000000000001515007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.842{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.842{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.842{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.842{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.608{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:35.545{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{5dd491df-f412-4514-aed4-6dd25c824fd2}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001514990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:35.545{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{5dd491df-f412-4514-aed4-6dd25c824fd2}\LastProbeTimeDWORD (0x615418af) 13241300x80000000000000001514989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:35.545{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{5DD491DF-F412-4514-AED4-6DD25C824FD2}\DateLastConnectedBinary Data 17141700x80000000000000001514988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:35.467{5EBD8912-18AD-6154-1900-00000000FE01}1960\PSHost.132773748930183370.1960.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 17141700x80000000000000001514987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:35.467{5EBD8912-18AC-6154-1800-00000000FE01}1916\PSHost.132773748929468137.1916.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001514986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.358{5EBD8912-18AC-6154-1200-00000000FE01}4521736C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001514985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.342{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.342{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:35.326{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001514982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.279{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.279{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.279{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001514979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.092{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_w1zt1ks2.s0n.ps12021-09-29 07:41:35.092 11241100x80000000000000001514978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.092{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_eki1dmtm.tcp.ps12021-09-29 07:41:35.061 10341000x80000000000000001514977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.029{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:35.014{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.811{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043a) 13241300x80000000000000001514974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.342{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpGatewayHardwareCountDWORD (0x00000001) 13241300x80000000000000001514973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.342{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpGatewayHardwareBinary Data 12241200x80000000000000001514972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:34.342{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpGatewayHardwareCount 12241200x80000000000000001514971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:34.342{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpGatewayHardware 13241300x80000000000000001514970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.326{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001514969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.326{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001514968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:34.326{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 10341000x80000000000000001514967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.436{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.436{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.326{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007b1) 10341000x80000000000000001514964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.311{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.311{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.311{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001514951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.295{5EBD8912-18A9-6154-0A00-00000000FE01}632628C:\Windows\system32\services.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.279{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.279{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18AD-6154-1F00-00000000FE01}2100C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.279{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007b0) 10341000x80000000000000001514946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.279{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.279{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.279{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.264{5EBD8912-18AD-6154-1B00-00000000FE01}19962088C:\Windows\system32\conhost.exe{5EBD8912-18AD-6154-1900-00000000FE01}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.264{5EBD8912-18AD-6154-1E00-00000000FE01}18122084C:\Windows\system32\conhost.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.264{5EBD8912-18AD-6154-1A00-00000000FE01}20042076C:\Windows\system32\conhost.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.248{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Options\EnablePacketQueueDWORD (0x00000000) 13241300x80000000000000001514939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.248{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\Schedule\FailureActionsBinary Data 10341000x80000000000000001514938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.248{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AD-6154-1E00-00000000FE01}1812C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.248{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.248{5EBD8912-18AC-6154-1600-00000000FE01}12721156C:\Windows\system32\svchost.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.233{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.233{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001514933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.186{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeC:\Windows\System32\wbem\Repository\WRITABLE.TST2021-09-29 07:41:33.186 10341000x80000000000000001514932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.186{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.186{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.139{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.139{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.139{5EBD8912-18AC-6154-1600-00000000FE01}12721820C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.123{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1996C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.123{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}2004C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001514925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\DriverMajorVersionDWORD (0x00000001) 13241300x80000000000000001514923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001514922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001514920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000001) 13241300x80000000000000001514919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:33.123{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\0SWD\IP_TUNNEL_VBUS\ISATAP_1 10341000x80000000000000001514918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.123{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.123{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.123{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.108{5EBD8912-18AC-6154-1200-00000000FE01}4521068C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001514914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.092{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.092{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.014{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.014{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{00000000-0000-0000-0000-000000000000}1960C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.014{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.014{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.983{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.983{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.983{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.951{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.951{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1800-00000000FE01}1916C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.936{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.920{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.920{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.920{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.873{5EBD8912-18AC-6154-1600-00000000FE01}1272\Winsock2\CatalogChangeListener-4f8-0C:\Windows\system32\svchost.exe 17141700x80000000000000001514888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.873{5EBD8912-18AC-6154-1600-00000000FE01}1272\SessEnvPublicRpcC:\Windows\system32\svchost.exe 11241100x80000000000000001514887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10532021-09-29 07:41:32.842{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeC:\Windows\Tasks\SA.DAT2016-09-12 11:34:03.403 17141700x80000000000000001514886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.842{5EBD8912-18AC-6154-1600-00000000FE01}1272\atsvcC:\Windows\system32\svchost.exe 13241300x80000000000000001514885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.795{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Winmgmt\Parameters\ServiceDllUnloadOnStopDWORD (0x00000001) 13241300x80000000000000001514884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.686{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\srvnet\Parameters\MajorSequenceDWORD (0x000001fe) 17141700x80000000000000001514883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.639{5EBD8912-18A9-6154-0B00-00000000FE01}640\Winsock2\CatalogChangeListener-280-1C:\Windows\system32\lsass.exe 13241300x80000000000000001514882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.639{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 17141700x80000000000000001514881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.623{5EBD8912-18A9-6154-0B00-00000000FE01}640\Winsock2\CatalogChangeListener-280-0C:\Windows\system32\lsass.exe 10341000x80000000000000001514880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.608{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.608{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.608{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001514877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.592{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001514873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.592{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.576{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.561{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.545{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\EventLog\System\mrxsmb\ParameterMessageFile%%SystemRoot%%\System32\kernel32.dll 10341000x80000000000000001514850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.545{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.545{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.545{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.545{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.514{5EBD8912-18AC-6154-0F00-00000000FE01}96\Ctx_WinStation_API_serviceC:\Windows\System32\svchost.exe 17141700x80000000000000001514839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.514{5EBD8912-18AC-6154-0F00-00000000FE01}96\TermSrv_API_serviceC:\Windows\System32\svchost.exe 10341000x80000000000000001514838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.514{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.498{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.498{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.498{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.483{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.483{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.483{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.483{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.483{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.483{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.483{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001514825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.483{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001514824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.483{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\rspndr\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\DriverMajorVersionDWORD (0x0000000a) 13241300x80000000000000001514821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001514820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\MsLldp\NdisMajorVersionDWORD (0x00000006) 13241300x80000000000000001514819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMinorVersionDWORD (0x00000000) 13241300x80000000000000001514818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\DriverMajorVersionDWORD (0x00000000) 13241300x80000000000000001514817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMinorVersionDWORD (0x0000001e) 13241300x80000000000000001514816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\lltdio\NdisMajorVersionDWORD (0x00000006) 10341000x80000000000000001514815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.451{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.451{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.451{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.451{5EBD8912-18AC-6154-1100-00000000FE01}444\Winsock2\CatalogChangeListener-1bc-0C:\Windows\System32\svchost.exe 17141700x80000000000000001514811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:32.451{5EBD8912-18AC-6154-1100-00000000FE01}444\eventlogC:\Windows\System32\svchost.exe 13241300x80000000000000001514810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\NextInstanceDWORD (0x00000015) 13241300x80000000000000001514809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\CountDWORD (0x00000015) 13241300x80000000000000001514808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\xenfilt\Enum\20UMB\UMB\1&841921d&0&TERMINPUT_BUS 13241300x80000000000000001514807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001514806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\CountDWORD (0x00000002) 13241300x80000000000000001514805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\umbus\Enum\1UMB\UMB\1&841921d&0&TERMINPUT_BUS 10341000x80000000000000001514804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.436{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.436{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.420{5EBD8912-18A9-6154-0A00-00000000FE01}632696C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.420{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.406{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.406{5EBD8912-18A9-6154-0A00-00000000FE01}632628C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.406{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18A9-6154-0A00-00000000FE01}632720C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+220e1|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.390{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18A9-6154-0A00-00000000FE01}632696C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.373{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.373{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\wcifs\Parameters\WppRecorder_TraceGuid{803cb23a-e32b-4200-bd82-d8a15919ac1b} 10341000x80000000000000001514775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.311{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.311{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001514772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001514771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001514770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x615426bc) 13241300x80000000000000001514769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x615424fa) 13241300x80000000000000001514768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x61541fb4) 13241300x80000000000000001514767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x615418ac) 13241300x80000000000000001514766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000e10) 13241300x80000000000000001514765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer10.0.1.1 13241300x80000000000000001514764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001514763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress10.0.1.14 13241300x80000000000000001514762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptionsBinary Data 13241300x80000000000000001514761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMaskOptBinary Data 13241300x80000000000000001514760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpDefaultGatewayBinary Data 13241300x80000000000000001514759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpNameServer10.0.0.2 13241300x80000000000000001514758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer10.0.0.2 13241300x80000000000000001514757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001514756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpDomaineu-central-1.compute.internal 13241300x80000000000000001514755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomaineu-central-1.compute.internal 13241300x80000000000000001514754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.295{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001514753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001514752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001514751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001514750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseTerminatesTimeDWORD (0x00000000) 13241300x80000000000000001514749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T2DWORD (0x00000000) 13241300x80000000000000001514748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\T1DWORD (0x00000000) 13241300x80000000000000001514747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseObtainedTimeDWORD (0x00000000) 13241300x80000000000000001514746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\LeaseDWORD (0x00000000) 13241300x80000000000000001514745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpServer255.255.255.255 13241300x80000000000000001514744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMask255.0.0.0 13241300x80000000000000001514743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpIPAddress0.0.0.0 12241200x80000000000000001514742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpInterfaceOptions 13241300x80000000000000001514741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 13241300x80000000000000001514740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\Dhcpv6StateDWORD (0x00000001) 12241200x80000000000000001514739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpDefaultGateway 12241200x80000000000000001514738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpSubnetMaskOpt 12241200x80000000000000001514737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpDomain 12241200x80000000000000001514736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpDomain 12241200x80000000000000001514735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\DhcpNameServer 12241200x80000000000000001514734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-DeleteValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DhcpNameServer 13241300x80000000000000001514733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.264{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{539531aa-0a0b-4bba-b26e-65076530b444}\Dhcpv6StateDWORD (0x00000000) 10341000x80000000000000001514732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.248{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.248{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:32.233{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\DHCP\CollectionBinary Data 10341000x80000000000000001514729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.217{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.217{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.201{5EBD8912-18A9-6154-0A00-00000000FE01}632720C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.186{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.186{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.186{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.186{5EBD8912-18AC-6154-0E00-00000000FE01}10121044C:\Windows\system32\LogonUI.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18A9-6154-0A00-00000000FE01}632724C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.170{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18A9-6154-0A00-00000000FE01}632708C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.154{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18A9-6154-0A00-00000000FE01}632696C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18A9-6154-0A00-00000000FE01}632628C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.139{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.108{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.108{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.108{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.108{5EBD8912-18A9-6154-0A00-00000000FE01}632724C:\Windows\system32\services.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.113{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k LocalServiceC:\Windows\system32\NT AUTHORITY\LOCAL SERVICE{5EBD8912-18AC-6154-E503-000000000000}0x3e50SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001514696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0800-00000000FE01}508608C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0900-00000000FE01}5801000C:\Windows\system32\winlogon.exe{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.103{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-1{5EBD8912-18AC-6154-18BD-000000000000}0xbd181SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001514693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0A00-00000000FE01}632296C:\Windows\system32\services.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.092{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.077{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.077{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.077{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.077{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.077{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18A9-6154-0A00-00000000FE01}632720C:\Windows\system32\services.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.072{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\System32\svchost.exe -k termsvcsC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5EBD8912-18AB-6154-E403-000000000000}0x3e40SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001514678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.061{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18A9-6154-0800-00000000FE01}508524C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18A9-6154-0900-00000000FE01}580584C:\Windows\system32\winlogon.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.036{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3b8e855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e71SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001514670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:32.029{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852880C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852880C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852880C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0800-00000000FE01}508C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:31.951{5EBD8912-18AB-6154-0C00-00000000FE01}852\LSM_API_serviceC:\Windows\system32\svchost.exe 10341000x80000000000000001514660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0800-00000000FE01}508C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+373fc|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-18AB-6154-0C00-00000000FE01}852948C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|c:\windows\system32\lsm.dll+3735d|c:\windows\system32\lsm.dll+158f9|c:\windows\system32\lsm.dll+36198|c:\windows\system32\lsm.dll+3530a|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.936{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001514653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:31.889{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001514652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:31.889{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 13241300x80000000000000001514651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:31.889{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\RPC-EPMap\CollectionBinary Data 10341000x80000000000000001514650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.858{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.858{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:31.858{5EBD8912-18A9-6154-0700-00000000FE01}500\Winsock2\CatalogChangeListener-1f4-0C:\Windows\system32\wininit.exe 17141700x80000000000000001514647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:31.858{5EBD8912-18AB-6154-0D00-00000000FE01}908\epmapperC:\Windows\system32\svchost.exe 10341000x80000000000000001514646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.858{5EBD8912-18AB-6154-0C00-00000000FE01}852880C:\Windows\system32\svchost.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+480e8|c:\windows\system32\rpcss.dll+3c003|c:\windows\system32\rpcss.dll+3bf6e|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:31.858{5EBD8912-18AB-6154-0D00-00000000FE01}908\Winsock2\CatalogChangeListener-38c-0C:\Windows\system32\svchost.exe 10341000x80000000000000001514644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.842{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.842{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.842{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.826{5EBD8912-18A9-6154-0A00-00000000FE01}632724C:\Windows\system32\services.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.826{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.826{5EBD8912-18A9-6154-0A00-00000000FE01}632636C:\Windows\system32\services.exe{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+ddc1|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a423|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.811{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.811{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.811{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.795{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.654{5EBD8912-18A9-6154-0A00-00000000FE01}632724C:\Windows\system32\services.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.654{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.654{5EBD8912-18A9-6154-0A00-00000000FE01}632636C:\Windows\system32\services.exe{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+1a698|C:\Windows\system32\services.exe+1a391|C:\Windows\system32\services.exe+20187|C:\Windows\system32\services.exe+21f27|C:\Windows\system32\services.exe+2486c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.661{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exe10.0.14393.0 (rs1_release.160715-1616)Host Process for Windows ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationsvchost.exeC:\Windows\system32\svchost.exe -k DcomLaunchC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36F670D89040709013F6A460176767EC,SHA256=438B6CCD84F4DD32D9684ED7D58FD7D1E5A75FE3F3D12AB6C788E6BB0FFAD5E7,IMPHASH=2CED93915677390B76EE1916B92F3EF6{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001514630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:31.654{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001514629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:31.389{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\DSA Database EpochDWORD (0x0000144c) 10341000x80000000000000001514628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:30.186{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:30.186{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:30.186{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:30.170{5EBD8912-18A9-6154-0A00-00000000FE01}632\scerpcC:\Windows\system32\services.exe 10341000x80000000000000001514624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:30.170{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:30.170{5EBD8912-18A9-6154-0B00-00000000FE01}640688C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001514622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:30.154{5EBD8912-18A9-6154-0A00-00000000FE01}632\ntsvcsC:\Windows\system32\services.exe 10341000x80000000000000001514621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.826{5EBD8912-18A9-6154-0B00-00000000FE01}640644C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+4f6ac|C:\Windows\system32\lsasrv.dll+5815f|C:\Windows\system32\lsasrv.dll+6369e|C:\Windows\system32\lsass.exe+2086|C:\Windows\system32\lsass.exe+1e11|C:\Windows\system32\lsass.exe+1551|C:\Windows\system32\lsass.exe+4708|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.717{5EBD8912-18A9-6154-0700-00000000FE01}500504C:\Windows\system32\wininit.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1000000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wininit.exe+b9e0|C:\Windows\system32\wininit.exe+94ff|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001514619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.717{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.717{5EBD8912-18A9-6154-0700-00000000FE01}500504C:\Windows\system32\wininit.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+8c5f|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.729{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exe10.0.14393.2580 (rs1_release_inmarket.181009-1745)Local Security Authority ProcessMicrosoft® Windows® Operating SystemMicrosoft Corporationlsass.exeC:\Windows\system32\lsass.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=5AE8589CDDE46ED132AEF8280BC8894A,SHA256=D957A03C6EA35CBF0C90B0B088DF07E7803A1A3EEB4BA889038F88DB066BBDC4,IMPHASH=0AA67FE637515AC7535797573607EAA2{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\System32\wininit.exewininit.exe 10341000x80000000000000001514616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.686{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.686{5EBD8912-18A9-6154-0700-00000000FE01}500504C:\Windows\system32\wininit.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\wininit.exe+94d2|C:\Windows\system32\wininit.exe+5977|C:\Windows\system32\wininit.exe+4b9b|C:\Windows\system32\wininit.exe+546c|C:\Windows\system32\wininit.exe+cb13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001514614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.680{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exe10.0.14393.4169 (rs1_release.210107-1130)Services and Controller appMicrosoft® Windows® Operating SystemMicrosoft Corporationservices.exeC:\Windows\system32\services.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=FEFC26105685C70D7260170489B5B520,SHA256=930F44F9A599937BDB23CF0C7EA4D158991B837D2A0975C15686CDD4198808E8,IMPHASH=A1C9FD59764D67AA201947276212F7CF{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\System32\wininit.exewininit.exe 17141700x80000000000000001514613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:29.670{5EBD8912-18A9-6154-0700-00000000FE01}500\InitShutdownC:\Windows\system32\wininit.exe 13241300x80000000000000001514612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:41:29.608{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 13241300x80000000000000001514611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:41:29.592{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001514610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.561{5EBD8912-18A9-6154-0600-00000000FE01}492496C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.562{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e71SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5EBD8912-18A9-6154-0600-00000000FE01}492C:\Windows\System32\smss.exe- 10341000x80000000000000001514608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.545{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0800-00000000FE01}508C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001514607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.514{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Domainattackrange.local 13241300x80000000000000001514606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.514{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Hostnamewin-dc-429 10341000x80000000000000001514605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.514{5EBD8912-18A9-6154-0400-00000000FE01}408412C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\system32\wininit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.517{5EBD8912-18A9-6154-0700-00000000FE01}500C:\Windows\System32\wininit.exe10.0.14393.2273 (rs1_release_1.180427-1811)Windows Start-Up ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWinInit.exewininit.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=5A998F811D7805B79B8E769027F62FD2,SHA256=8694C5732D26921EEA29589A9FA4182139EF3D9EA6B6D0ACCA8994B4AA5DEFE5,IMPHASH=C8D526C4E61942E1B11AE4B7EE2DDE5D{5EBD8912-18A9-6154-0400-00000000FE01}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c 10341000x80000000000000001514603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.514{5EBD8912-18A9-6154-0600-00000000FE01}492496C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0800-00000000FE01}508C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.522{5EBD8912-18A9-6154-0800-00000000FE01}508C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e71SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-18A9-6154-0600-00000000FE01}492C:\Windows\System32\smss.exe- 10341000x80000000000000001514601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.514{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0600-00000000FE01}492C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.514{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0600-00000000FE01}492C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.514{5EBD8912-18A9-6154-0600-00000000FE01}492C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001c0 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e71SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-1892-6154-0200-00000000FE01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 10341000x80000000000000001514598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.498{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 13241300x80000000000000001514597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.451{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Parameters\Wdf\TimeOfLastTelemetryLogQWORD (0x01d7b505-0x6a5ac9e7) 13241300x80000000000000001514596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001514595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\CountDWORD (0x00000001) 13241300x80000000000000001514594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.436{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\monitor\Enum\0DISPLAY\Default_Monitor\4&6798829&0&UID0 13241300x80000000000000001514593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.436{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\VolatileSettings\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}Binary Data 13241300x80000000000000001514592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:29.436{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exeHKLM\System\CurrentControlSet\Services\BasicDisplay\Video\ServiceBasicDisplay 10341000x80000000000000001514591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.373{5EBD8912-18A9-6154-0400-00000000FE01}408412C:\Windows\System32\smss.exe{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.380{5EBD8912-18A9-6154-0500-00000000FE01}416C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-18A9-6154-0400-00000000FE01}408C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c 10341000x80000000000000001514589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.279{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001514588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.279{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{00000000-0000-0000-0000-000000000000}408C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+c18e|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001514587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.281{5EBD8912-18A9-6154-0400-00000000FE01}408C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001d4 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-1892-6154-0200-00000000FE01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 354300x80000000000000001423069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:45.673{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001515817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.981{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.980{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.978{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.978{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.978{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.978{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.978{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.974{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4A00-00000000FE01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.973{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.973{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.972{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4A00-00000000FE01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.971{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BB-6154-4A00-00000000FE01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+64ab|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1807c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.971{5EBD8912-18BB-6154-4A00-00000000FE01}3912C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" check-licenseC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001515797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.936{5EBD8912-18AC-6154-1600-00000000FE01}12722072C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4900-00000000FE01}3840C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+2dbe|C:\Windows\system32\wbem\wmiprvsd.dll+155e9|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wmiprvsd.dll+fa1f|C:\Windows\system32\wbem\wmiprvsd.dll+1351d|C:\Windows\system32\wbem\wmiprvsd.dll+127f4|C:\Windows\system32\wbem\wbemcore.dll+1016a|C:\Windows\system32\wbem\wbemcore.dll+2d15f|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4900-00000000FE01}3840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.924{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.923{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.923{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.923{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.923{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.920{5EBD8912-18BB-6154-4600-00000000FE01}36803684C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.865{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4900-00000000FE01}3840C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.864{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4900-00000000FE01}3840C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.796{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.796{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.790{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.777{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.772{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.772{5EBD8912-18BB-6154-4300-00000000FE01}36403644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001515777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.763{5EBD8912-18BB-6154-4800-00000000FE01}3820C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get Version /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001515776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.673{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.610{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4700-00000000FE01}3724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.609{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.609{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.602{5EBD8912-18B9-6154-2800-00000000FE01}29522448C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe+6ed7e 154100x80000000000000001515763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.383{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe-----"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=26B76A159CC149F82352B4A99601043A,SHA256=B7EF09E159A17072EF7A93D8B1369902C851B5C40404F44EB802A83131708B2F,IMPHASH=4035D2883E01D64F3E7A9DCCB1D63AF5{5EBD8912-18B9-6154-2800-00000000FE01}2952C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe"C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe" 10341000x80000000000000001515762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4600-00000000FE01}3680C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4600-00000000FE01}3680C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.443{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BB-6154-4600-00000000FE01}3680C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1803d|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.451{5EBD8912-18BB-6154-4600-00000000FE01}3680C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" generate-sslC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001515749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18BB-6154-4400-00000000FE01}36483652C:\Windows\system32\cmd.exe{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.435{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-18BB-6154-4400-00000000FE01}3648C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1 10341000x80000000000000001515736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4400-00000000FE01}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4400-00000000FE01}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.427{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BB-6154-4400-00000000FE01}3648C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd15|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.429{5EBD8912-18BB-6154-4400-00000000FE01}3648C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001515723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.381{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.350{5EBD8912-18BB-6154-4200-00000000FE01}36163620C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4200-00000000FE01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4200-00000000FE01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.097{5EBD8912-18BB-6154-4100-00000000FE01}35963600C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BB-6154-4200-00000000FE01}3616C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.098{5EBD8912-18BB-6154-4200-00000000FE01}3616C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BB-6154-4100-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list kvstore --no-log 10341000x80000000000000001515708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4100-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4100-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.081{5EBD8912-18BB-6154-4000-00000000FE01}35843588C:\Windows\system32\cmd.exe{5EBD8912-18BB-6154-4100-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.082{5EBD8912-18BB-6154-4100-00000000FE01}3596C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BB-6154-4000-00000000FE01}3584C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-log 10341000x80000000000000001515695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BB-6154-4000-00000000FE01}3584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BB-6154-4000-00000000FE01}3584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.066{5EBD8912-18BA-6154-3700-00000000FE01}33363340C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BB-6154-4000-00000000FE01}3584C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+14ab4|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+d1d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.077{5EBD8912-18BB-6154-4000-00000000FE01}3584C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list kvstore --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18BA-6154-3700-00000000FE01}3336C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal_extra_splunkd_service_args 10341000x80000000000000001515682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.049{5EBD8912-18BA-6154-3D00-00000000FE01}34643468C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:46.602{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-14725-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001515959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-5100-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-5100-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.914{5EBD8912-18BC-6154-5000-00000000FE01}34403464C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BC-6154-5100-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.918{5EBD8912-18BC-6154-5100-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BC-6154-5000-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warnings 10341000x80000000000000001515946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-5000-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001515936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.750{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49690-false169.254.169.254-80http 354300x80000000000000001515935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.747{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49689-false169.254.169.254-80http 354300x80000000000000001515934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.744{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49688-false169.254.169.254-80http 354300x80000000000000001515933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.742{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49687-false169.254.169.254-80http 354300x80000000000000001515932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.740{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49686-false169.254.169.254-80http 10341000x80000000000000001515931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-5000-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x80000000000000001515930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.735{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49685-false169.254.169.254-80http 354300x80000000000000001515929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.733{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49684-false169.254.169.254-80http 354300x80000000000000001515928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.688{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-49507- 354300x80000000000000001515927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.508{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-58844- 354300x80000000000000001515926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.350{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x80000000000000001515925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.717{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54013- 354300x80000000000000001515924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.717{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue7f00:1:0:0:9870:8404:84ce:ffff-54013-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001515923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.577{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-50120- 354300x80000000000000001515922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.503{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58844- 10341000x80000000000000001515921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.898{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BC-6154-5000-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18192|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.911{5EBD8912-18BC-6154-5000-00000000FE01}3440C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-strptime --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001515919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.854{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.815{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.813{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.812{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.812{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.812{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.812{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.811{5EBD8912-18BB-6154-4300-00000000FE01}36403780C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001515906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.812{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_OperatingSystem" "| Select-Object" "Version, OperatingSystemSKU" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001515905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.790{5EBD8912-18BC-6154-4C00-00000000FE01}3984NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001515904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.750{5EBD8912-18BC-6154-4E00-00000000FE01}32683256C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001515903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.500{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49683-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001515902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.500{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49683-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001515901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.374{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-61546- 354300x80000000000000001515900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.218{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-63512- 354300x80000000000000001515899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.202{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59867- 354300x80000000000000001515898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.164{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001515897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.046{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-51410- 354300x80000000000000001515896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.888{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-52201- 354300x80000000000000001515895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.811{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-58794- 354300x80000000000000001515894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.719{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54013- 354300x80000000000000001515893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.719{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54013-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 22542200x80000000000000001515892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.517{5EBD8912-18A9-6154-0B00-00000000FE01}640win-dc-429010.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001515891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:46.515{5EBD8912-18B9-6154-2700-00000000FE01}2944win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000001515890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-4E00-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-4E00-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.346{5EBD8912-18BC-6154-4D00-00000000FE01}32363284C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BC-6154-4E00-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.347{5EBD8912-18BC-6154-4E00-00000000FE01}3268C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BC-6154-4D00-00000000FE01}3236C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-log 10341000x80000000000000001515877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-4D00-00000000FE01}3236C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-4D00-00000000FE01}3236C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BC-6154-4D00-00000000FE01}3236C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1815e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.340{5EBD8912-18BC-6154-4D00-00000000FE01}3236C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" check --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001515864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001515863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001515862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001515860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.313{5EBD8912-18B9-6154-2F00-00000000FE01}24083472C:\Windows\system32\DFSRs.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\wmidcom.dll+58a6|C:\Windows\system32\wmidcom.dll+5464|C:\Windows\system32\wmidcom.dll+5495|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001515856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001515855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001515853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001515852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18AC-6154-1600-00000000FE01}12721000C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+264a1|C:\Windows\system32\wbem\wmiprvsd.dll+2669f|C:\Windows\system32\wbem\wmiprvsd.dll+25c4b|C:\Windows\system32\wbem\wmiprvsd.dll+27476|C:\Windows\system32\wbem\wmiprvsd.dll+27db2|C:\Windows\system32\wbem\wmiprvsd.dll+277c9|C:\Windows\system32\wbem\wmiprvsd.dll+26100|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.297{5EBD8912-18B9-6154-2F00-00000000FE01}24082344C:\Windows\system32\DFSRs.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c3ca|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+261b7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001515849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+25d35|C:\Windows\system32\wbem\wmiprvsd.dll+2619d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001515848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4A00-00000000FE01}3912C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001515846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+281af|C:\Windows\system32\wbem\wmiprvsd.dll+2982c|C:\Windows\system32\wbem\wmiprvsd.dll+292fb|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001515845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+5a1b8|C:\Windows\system32\wbem\wmiprvsd.dll+35a49|C:\Windows\system32\wbem\wmiprvsd.dll+2807f|C:\Windows\system32\wbem\wmiprvsd.dll+29591|C:\Windows\system32\wbem\wmiprvsd.dll+292c2|C:\Windows\system32\wbem\wmiprvsd.dll+26165|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\combase.dll+12d0|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001515844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18BB-6154-4A00-00000000FE01}39123916C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.282{5EBD8912-18B9-6154-2F00-00000000FE01}24082344C:\Windows\system32\DFSRs.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmidcprv.dll+163a4|C:\Windows\system32\wbem\wmidcprv.dll+166e0|C:\Windows\system32\wbem\wmidcprv.dll+abad|C:\Windows\system32\wbem\wmidcprv.dll+b57e|C:\Windows\system32\DFSRs.exe+d847d|C:\Windows\system32\DFSRs.exe+c1bd|C:\Windows\system32\DFSRs.exe+51c1|C:\Windows\system32\DFSRs.exe+73b2|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.266{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.266{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:48.235{5EBD8912-18BC-6154-4C00-00000000FE01}3984\PSHost.132773749081502176.3984.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001515839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.233{5EBD8912-18BC-6154-4C00-00000000FE01}3984NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_xmromjit.scl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001515838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.232{5EBD8912-18BC-6154-4C00-00000000FE01}3984NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_byanvbfj.dtx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001515837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.213{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_byanvbfj.dtx.ps12021-09-29 07:41:48.213 10341000x80000000000000001515836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.197{5EBD8912-18BB-6154-4900-00000000FE01}38403872C:\Windows\system32\wbem\wmiprvse.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1040C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\combase.dll+ac312|C:\Windows\System32\combase.dll+acc3e|C:\Windows\System32\combase.dll+ac9ff|C:\Windows\System32\combase.dll+2f2c8|C:\Windows\System32\combase.dll+2eee0|C:\Windows\System32\combase.dll+3bf47|C:\Windows\System32\combase.dll+c2774|C:\Windows\System32\combase.dll+38f61|C:\Windows\System32\combase.dll+3a760|C:\Windows\System32\combase.dll+4dba|C:\Windows\System32\RPCRT4.dll+da374|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001515835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.193{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.158{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.155{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.155{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.155{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.155{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.154{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.153{5EBD8912-18BB-6154-4300-00000000FE01}36403796C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001515822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.150{5EBD8912-18BC-6154-4C00-00000000FE01}3984C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'" "| Select-Object" "ProductName, BuildLabEx, CurrentMajorVersionNumber, CurrentMinorVersionNumber" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001515821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.078{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.078{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.029{5EBD8912-18AC-6154-1600-00000000FE01}12722968C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.010{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4B00-00000000FE01}3932C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.989{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.963{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.961{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.960{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.960{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.960{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.960{5EBD8912-18BB-6154-4300-00000000FE01}36403812C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001516097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.960{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\AwsNitroEnclaves'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001516096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.939{5EBD8912-18BD-6154-5600-00000000FE01}4084NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.467{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55342- 354300x80000000000000001516094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.329{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-61698- 354300x80000000000000001516093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.156{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-52074- 354300x80000000000000001516092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.132{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49694-false169.254.169.254-80http 354300x80000000000000001516091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.131{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49693-false169.254.169.254-80http 354300x80000000000000001516090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.925{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49692-false169.254.169.254-80http 354300x80000000000000001516089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:47.804{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49691-false169.254.169.254-80http 10341000x80000000000000001516088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.901{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5900-00000000FE01}1132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5900-00000000FE01}1132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18BD-6154-5800-00000000FE01}40324092C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BD-6154-5900-00000000FE01}1132C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.899{5EBD8912-18BD-6154-5900-00000000FE01}1132C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BD-6154-5800-00000000FE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list replication_port --no-log 10341000x80000000000000001516075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5800-00000000FE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5800-00000000FE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18BD-6154-5700-00000000FE01}40564064C:\Windows\system32\cmd.exe{5EBD8912-18BD-6154-5800-00000000FE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.893{5EBD8912-18BD-6154-5800-00000000FE01}4032C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BD-6154-5700-00000000FE01}4056C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-log 10341000x80000000000000001516062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5700-00000000FE01}4056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5700-00000000FE01}4056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.886{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BD-6154-5700-00000000FE01}4056C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18274|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.887{5EBD8912-18BD-6154-5700-00000000FE01}4056C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list replication_port --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 23542300x80000000000000001516049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.822{5EBD8912-18BD-6154-5500-00000000FE01}3832NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.791{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BD-6154-5500-00000000FE01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.791{5EBD8912-18BD-6154-5500-00000000FE01}38323828C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e675|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f344c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.775{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.775{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001516044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:49.759{5EBD8912-18BD-6154-5600-00000000FE01}4084\PSHost.132773749095775406.4084.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001516043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.744{5EBD8912-18BD-6154-5600-00000000FE01}4084NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_o54hkybv.oly.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.744{5EBD8912-18BD-6154-5600-00000000FE01}4084NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_zj5dp5xl.w2n.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001516041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.728{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_zj5dp5xl.w2n.ps12021-09-29 07:41:49.728 10341000x80000000000000001516040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.728{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.579{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.578{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.578{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.578{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.578{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.578{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18BB-6154-4300-00000000FE01}36403780C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001516027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.577{5EBD8912-18BD-6154-5600-00000000FE01}4084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-ItemProperty -Path 'HKLM:\SOFTWARE\Amazon\PVDriver'" "| Select-Object" "Name, Version" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001516026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5500-00000000FE01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5500-00000000FE01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BD-6154-5500-00000000FE01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18226|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.538{5EBD8912-18BD-6154-5500-00000000FE01}3832C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd" check-transforms-keysC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001516013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.537{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.534{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.527{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.524{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.523{5EBD8912-18BB-6154-4300-00000000FE01}36403644C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001515998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.523{5EBD8912-18BD-6154-5400-00000000FE01}1968C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001515997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.494{5EBD8912-18BC-6154-4F00-00000000FE01}3408NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001515996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.494{5EBD8912-18BD-6154-5300-00000000FE01}33243728C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.333{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.333{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5300-00000000FE01}3324C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5300-00000000FE01}3324C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18BD-6154-5200-00000000FE01}33443340C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BD-6154-5300-00000000FE01}3324C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.260{5EBD8912-18BD-6154-5300-00000000FE01}3324C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BD-6154-5200-00000000FE01}3344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warnings 10341000x80000000000000001515980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BD-6154-5200-00000000FE01}3344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BD-6154-5200-00000000FE01}3344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001515969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.254{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BD-6154-5200-00000000FE01}3344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4022c|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+403f8|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+404c7|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+40fee|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+13671|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+181c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001515968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.253{5EBD8912-18BD-6154-5200-00000000FE01}3344C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exe"C:\Program Files\SplunkUniversalForwarder\bin\btool" validate-regex --log-warningsC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001515967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.207{5EBD8912-18BC-6154-5100-00000000FE01}36323628C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.191{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001515965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.191{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001515964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:49.174{5EBD8912-18BC-6154-4F00-00000000FE01}3408\PSHost.132773749088125087.3408.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001515963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.159{5EBD8912-18BC-6154-4F00-00000000FE01}3408NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_hjf43lf4.jx4.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001515962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.159{5EBD8912-18BC-6154-4F00-00000000FE01}3408NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tn1tyylj.4dy.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001515961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.144{5EBD8912-18BC-6154-4F00-00000000FE01}3408C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_tn1tyylj.4dy.ps12021-09-29 07:41:49.144 23542300x80000000000000001515960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.061{5EBD8912-18B9-6154-2600-00000000FE01}2856NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:48.713{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-17835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001516236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.969{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.969{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.969{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.969{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-6200-00000000FE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-6200-00000000FE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.953{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BE-6154-6200-00000000FE01}3836C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.962{5EBD8912-18BE-6154-6200-00000000FE01}3836C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\MonitorNoHandle.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001516223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.734{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\composite.xmlMD5=BAA3D9652166DC4163F7323B34F168FA,SHA256=0A1E4AAE2B282671AA08BBBF61D7B1808B52B350A12845444CD028CBDBBDA44D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.687{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.687{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001516218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:50.656{5EBD8912-18BE-6154-5F00-00000000FE01}3400\PSHost.132773749104699607.3400.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 10341000x80000000000000001516217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-6100-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-6100-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.656{5EBD8912-18BE-6154-6000-00000000FE01}36843688C:\Windows\system32\cmd.exe{5EBD8912-18BE-6154-6100-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.658{5EBD8912-18BE-6154-6100-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe8.0.2splunk Applicationsplunk ApplicationSplunk Inc.splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BA47934C1D8F8F5D495F67F9B6EF5D0B,SHA256=39A00C55E1BC2233DBEE2A3F2F8CB9BD3668275DCA5F83BD11958FAF50E8C8CE,IMPHASH=4D753DA340C903D8C30CD8B0CF2B73E3{5EBD8912-18BE-6154-6000-00000000FE01}3684C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1 10341000x80000000000000001516206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-6000-00000000FE01}3684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-6000-00000000FE01}3684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BE-6154-6000-00000000FE01}3684C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+edcb8|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+eef54|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ebd46|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001516194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.337{5EBD8912-18B9-6154-2F00-00000000FE01}2408WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 154100x80000000000000001516193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.650{5EBD8912-18BE-6154-6000-00000000FE01}3684C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c "C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal check-xml-files --answer-yes --no-prompt 2>&1C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001516192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18BE-6154-5F00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_c3fzzcma.4b2.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\splunk\pre-flight-checksMD5=52414E13BC571139A78F09588A1364A4,SHA256=3C1F79227940F5C563684E97F96860594D7E76089653064CB910620CB735929B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.640{5EBD8912-18BE-6154-5F00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_br512lut.xzx.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001516189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.568{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_br512lut.xzx.ps12021-09-29 07:41:50.568 10341000x80000000000000001516188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.515{5EBD8912-18BE-6154-5D00-00000000FE01}28563620C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.515{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.475{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.472{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.472{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.470{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.469{5EBD8912-18BB-6154-4300-00000000FE01}36403812C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001516174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.469{5EBD8912-18BE-6154-5F00-00000000FE01}3400C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-CimInstance Win32_PnPEntity | Where-Object { $_.Service -eq 'xenvbd' }" "| Select-Object" DeviceID "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001516173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.410{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.410{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.410{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.400{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.397{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.396{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.396{5EBD8912-18BB-6154-4300-00000000FE01}36403780C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\Wbem\wmic.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 154100x80000000000000001516158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.396{5EBD8912-18BE-6154-5E00-00000000FE01}3632C:\Windows\System32\wbem\WMIC.exe10.0.14393.0 (rs1_release.160715-1616)WMI Commandline UtilityMicrosoft® Windows® Operating SystemMicrosoft Corporationwmic.exewmic OS get OperatingSystemSKU /format:listC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=2CEE7F1AD77D8817E0F043E5E5ED1C83,SHA256=6679EA8FBEB539B5852CE8838420471FED0600F5050F3370DBB355DAC76BF072,IMPHASH=1B1A3F43BF37B5BFE60751F2EE2F326E{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 23542300x80000000000000001516157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.365{5EBD8912-18BD-6154-5A00-00000000FE01}3224NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.179{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-5D00-00000000FE01}2856C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-5D00-00000000FE01}2856C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18BE-6154-5C00-00000000FE01}24922328C:\Program Files\SplunkUniversalForwarder\bin\btool.exe{5EBD8912-18BE-6154-5D00-00000000FE01}2856C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+239c|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2568|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+2926|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+11cf|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+1245|C:\Program Files\SplunkUniversalForwarder\bin\btool.exe+aa24|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.178{5EBD8912-18BE-6154-5D00-00000000FE01}2856C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe8.0.2splunkd servicesplunk ApplicationSplunk Inc.splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE" btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=B6D66AB97239BFB32F1CC9B8BFE1B4E0,SHA256=9D5EC3AA587B29840BE53E8E11B1C3BFE2FA3413DD65459325CBEEAFA66D3975,IMPHASH=CD69F86EE9B3C12390F5C7499BD3A589{5EBD8912-18BE-6154-5C00-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\btool.exebtool server list general --no-log 10341000x80000000000000001516143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-5C00-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-5C00-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.163{5EBD8912-18BE-6154-5B00-00000000FE01}25362512C:\Windows\system32\cmd.exe{5EBD8912-18BE-6154-5C00-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\btool.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.168{5EBD8912-18BE-6154-5C00-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\btool.exe8.0.2btoolsplunk ApplicationSplunk Inc.btool.exebtool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BC53EBF68CFA6E8A254D89ABEC89A65D,SHA256=97024B4A7182D9C253B1AC4E56A1C8F3BC8808B79E6D022EF27B95003622F0A4,IMPHASH=572E0CF4672412FA940B0E1835926B3B{5EBD8912-18BE-6154-5B00-00000000FE01}2536C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c btool server list general --no-log 10341000x80000000000000001516130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BE-6154-5B00-00000000FE01}2536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BE-6154-5B00-00000000FE01}2536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.147{5EBD8912-18BB-6154-4500-00000000FE01}36603664C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe{5EBD8912-18BE-6154-5B00-00000000FE01}2536C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\ucrtbase.dll+9ea4a|C:\Windows\System32\ucrtbase.dll+9e42e|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+43bc6|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+6665|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+18319|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+1adfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe+4cf68|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.156{5EBD8912-18BE-6154-5B00-00000000FE01}2536C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c btool server list general --no-logC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18BB-6154-4500-00000000FE01}3660C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk.exe" _internal pre-flight-checks --answer-yes --no-prompt 10341000x80000000000000001516117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.115{5EBD8912-18BD-6154-5900-00000000FE01}11323368C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e675|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+116e1a6|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f344c|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+f2a91|C:\Program Files\SplunkUniversalForwarder\bin\SplunkD.EXE+19fdb50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.036{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.036{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001516114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:50.020{5EBD8912-18BD-6154-5A00-00000000FE01}3224\PSHost.132773749099608177.3224.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001516113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.005{5EBD8912-18BD-6154-5A00-00000000FE01}3224NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_n1abocz5.rgc.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.005{5EBD8912-18BD-6154-5A00-00000000FE01}3224NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_fvek4jey.yer.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001516111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.005{5EBD8912-18BD-6154-5A00-00000000FE01}3224C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_fvek4jey.yer.ps12021-09-29 07:41:50.005 10341000x80000000000000001516381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6C00-00000000FE01}3388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6C00-00000000FE01}3388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.962{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6C00-00000000FE01}3388C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.964{5EBD8912-18BF-6154-6C00-00000000FE01}3388C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell2.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6B00-00000000FE01}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6B00-00000000FE01}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.852{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6B00-00000000FE01}2404C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.856{5EBD8912-18BF-6154-6B00-00000000FE01}2404C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\powershell.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6A00-00000000FE01}3612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6A00-00000000FE01}3612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.743{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6A00-00000000FE01}3612C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.745{5EBD8912-18BF-6154-6A00-00000000FE01}3612C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\perfmon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6900-00000000FE01}3276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6900-00000000FE01}3276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.634{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6900-00000000FE01}3276C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.636{5EBD8912-18BF-6154-6900-00000000FE01}3276C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\admon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6800-00000000FE01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6800-00000000FE01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.524{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6800-00000000FE01}3268C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.527{5EBD8912-18BF-6154-6800-00000000FE01}3268C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinRegMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.430{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.430{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.430{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6700-00000000FE01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6700-00000000FE01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.415{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6700-00000000FE01}4064C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.418{5EBD8912-18BF-6154-6700-00000000FE01}4064C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinPrintMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 17141700x80000000000000001516301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:41:51.384{5EBD8912-18BF-6154-6400-00000000FE01}3832\PSHost.132773749110718224.3832.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001516300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.368{5EBD8912-18BF-6154-6400-00000000FE01}3832NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_13g0gokq.lmh.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.368{5EBD8912-18BF-6154-6400-00000000FE01}3832NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_le2luilr.ly0.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001516298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.352{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\Temp\__PSScriptPolicyTest_le2luilr.ly0.ps12021-09-29 07:41:51.352 10341000x80000000000000001516297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.337{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6600-00000000FE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6600-00000000FE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.306{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6600-00000000FE01}4020C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.308{5EBD8912-18BF-6154-6600-00000000FE01}4020C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinNetMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001516283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.323{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49695-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.323{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49695-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.805{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49847- 354300x80000000000000001516280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.804{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49846- 354300x80000000000000001516279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.803{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60045- 354300x80000000000000001516278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.803{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49845- 354300x80000000000000001516277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:48.578{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local65535- 10341000x80000000000000001516276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6500-00000000FE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6500-00000000FE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.196{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6500-00000000FE01}4004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.200{5EBD8912-18BF-6154-6500-00000000FE01}4004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinHostMon.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.076{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.075{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.075{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.075{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.075{5EBD8912-18BB-6154-4700-00000000FE01}37243744C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.073{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18BF-6154-6300-00000000FE01}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.072{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.072{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.072{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.072{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.072{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18BB-6154-4300-00000000FE01}36403780C:\Program Files\Amazon\SSM\ssm-agent-worker.exe{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Amazon\SSM\ssm-agent-worker.exe+6f23e 10341000x80000000000000001516246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18BF-6154-6400-00000000FE01}3832C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEpowershell "Get-WinEvent -FilterHashtable @( @{ LogName='System'; ProviderName='Microsoft-Windows-Kernel-General'; Id=12; Level=4 }, @{ LogName='System'; ProviderName='Microsoft-Windows-WER-SystemErrorReporting'; Id=1001; Level=2 } ) | Sort-Object TimeCreated -Descending" "| Select-Object" "Id, Level, ProviderName, TimeCreated, Properties" "| ConvertTo-Json -Depth 3"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exe"C:\Program Files\Amazon\SSM\ssm-agent-worker.exe" 10341000x80000000000000001516244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.071{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.070{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18BF-6154-6300-00000000FE01}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.070{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18BF-6154-6300-00000000FE01}4072C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.070{5EBD8912-18BF-6154-6300-00000000FE01}4072C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Program Files\SplunkUniversalForwarder\etc\system\bin\WinEventLog.cmd" --scheme"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001516237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.047{5EBD8912-18BE-6154-5F00-00000000FE01}3400NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C0-6154-6D00-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18C0-6154-6D00-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.778{5EBD8912-18B9-6154-2900-00000000FE01}29603288C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C0-6154-6D00-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7d35e7|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7cdcb9|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca4ec|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7ca0a3|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+7c9f0d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6d7908|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6de2ee|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b29fa|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+6b4274|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e42dc|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ec682|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e9959|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+d7f31|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.076{5EBD8912-18C0-6154-6D00-00000000FE01}3632C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe" --schemeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001516392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.593{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-50552- 354300x80000000000000001516391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-7756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:50.218{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-62528- 354300x80000000000000001516389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.807{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49846- 354300x80000000000000001516388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.807{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49847- 354300x80000000000000001516387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.807{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49845- 354300x80000000000000001516386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.807{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-60045- 354300x80000000000000001516385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.573{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-65535- 354300x80000000000000001516384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:49.460{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55342- 13241300x80000000000000001516383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:52.263{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0x77f3c4f4) 23542300x80000000000000001516382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.184{5EBD8912-18BF-6154-6400-00000000FE01}3832NT AUTHORITY\SYSTEMC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.119{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49849- 354300x80000000000000001516406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:51.123{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49849- 354300x80000000000000001423072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:50.891{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20599-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.264{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49850- 354300x80000000000000001516411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.264{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse169.254.169.123-123ntp 354300x80000000000000001516410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.260{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-429.attackrange.local138netbios-dgm 354300x80000000000000001516409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.260{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x80000000000000001516408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.253{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54351- 734700x80000000000000001423075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:15.622{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 734700x80000000000000001423074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:46.031{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 354300x80000000000000001423073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:53.023{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-24209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:53.330{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-61797- 354300x80000000000000001516415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:53.264{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49850- 354300x80000000000000001516414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:53.248{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-54351- 354300x80000000000000001516413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:52.803{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001423087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000000) 13241300x80000000000000001423086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001423085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001423084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000000) 13241300x80000000000000001423083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001423082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001423081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001423080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001423079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001423078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001423077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001423076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:41:56.484{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 354300x80000000000000001516435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:54.999{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51621- 354300x80000000000000001516434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:54.405{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53381- 354300x80000000000000001516433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:54.405{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49851- 10341000x80000000000000001516432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.544{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.545{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe-----"C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=9916D1AB54ACD0592052F87DFDBFD5F8,SHA256=704C0DEC2F15B4ADBC3165475D0F6504C90AD8B28B6926F7EAD67C2F2CCE77F5,IMPHASH=B0958DE096151B4209C7AECE2483DEF3{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001516419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.107{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=2B8B6F7194A3F50AA460C08DAE99D995,SHA256=3283EB762746FFF46F128116797A59DA41352BEAE9E97B3C1A1F1F24D27A8D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.107{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=AA1990667BCFDA523652BC75903C63A2,SHA256=94434AA22DFC8B4268B6BA41E814A3219A3F3687DF7477A87866C024105F8C73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.091{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=DBD4DBDE5CC526C125809EAFE850BE60,SHA256=55535EC7DB2C549BFF03F6A24B1AFBDE7474DFD564E963F354A586D3CC099C84,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.265{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15-59169- 354300x80000000000000001516457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:55.998{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-51621- 354300x80000000000000001516456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:55.688{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49884- 354300x80000000000000001516455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:55.404{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49851- 354300x80000000000000001516454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:55.404{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53381- 10341000x80000000000000001516453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.435{5EBD8912-18C4-6154-6E00-00000000FE01}40043412C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+2016cb|C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe+a6e213|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001516452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:57.435{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMinorVersionDWORD (0x00000000) 13241300x80000000000000001516451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:57.435{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\PACKETDRIVER\NdisMajorVersionDWORD (0x00000005) 13241300x80000000000000001516450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:41:57.435{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\npf\TimestampModeDWORD (0x00000000) 10341000x80000000000000001516449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.420{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18C5-6154-6F00-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C5-6154-6F00-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18C5-6154-6F00-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.388{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C5-6154-6F00-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.224{5EBD8912-18C5-6154-6F00-00000000FE01}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe8.0.2Remote Performance monitor using WMIsplunk ApplicationSplunk Inc.splunk-wmi.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-wmi.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=5DA29397A44401083341D66B52CA8BC4,SHA256=F51A58BCBF3532B9EF1B6478839424C33EA0426BCD5C6B4B636AD25D5177379C,IMPHASH=FFEB0CD073A55A73D08AC443E4942F81{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001423088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:56.571{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.878{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-18446-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.733{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49852- 354300x80000000000000001516472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:56.686{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49884- 10341000x80000000000000001516471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C6-6154-7000-00000000FE01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18C6-6154-7000-00000000FE01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C6-6154-7000-00000000FE01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.310{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.129{5EBD8912-18C6-6154-7000-00000000FE01}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000001423089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:28.188C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 354300x80000000000000001516496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.572{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49701-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.571{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49701-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.567{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49700-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.567{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49700-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.562{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49699-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.562{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49699-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 22542200x80000000000000001516490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.576{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ATTACKRANGE.LOCAL.1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001516489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.426{5EBD8912-18C4-6154-6E00-00000000FE01}4004win-dc-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 10341000x80000000000000001516488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.435{5EBD8912-18C7-6154-7100-00000000FE01}39164024C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.216{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C7-6154-7100-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18C7-6154-7100-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.200{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C7-6154-7100-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.020{5EBD8912-18C7-6154-7100-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001516512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.732{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49852- 22542200x80000000000000001516511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.732{5EBD8912-18C4-6154-6E00-00000000FE01}4004win-dc-429.attackrange.local010.0.1.14;C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe 22542200x80000000000000001516510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:58.643{5EBD8912-18B9-6154-2700-00000000FE01}2944win-dc-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe 10341000x80000000000000001516509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C7-6154-7200-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18C7-6154-7200-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.107{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C7-6154-7200-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.910{5EBD8912-18C7-6154-7200-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001423090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:41:58.939{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-30754-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001516538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.907{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C9-6154-7400-00000000FE01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.907{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18C9-6154-7400-00000000FE01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.891{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C9-6154-7400-00000000FE01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.710{5EBD8912-18C9-6154-7400-00000000FE01}3636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18C8-6154-7300-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18C8-6154-7300-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.079{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18C8-6154-7300-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.820{5EBD8912-18C8-6154-7300-00000000FE01}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe8.0.2Performance monitorsplunk ApplicationSplunk Inc.splunk-perfmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-perfmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=1F3027C93882E5D5A667B84CCEF3ED67,SHA256=504CDB3742BCBF617C837270CCEC0243205B7BF0A6AB5117EFB838DD2F004AAC,IMPHASH=53D37CD53647C5D82FCFA9E6970E154E{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001423092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:01.031{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.15win-host-542.attackrange.local137netbios-nsfalse10.0.1.14-137netbios-ns 354300x80000000000000001423091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:00.512{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-32610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001516559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.829{5EBD8912-18CA-6154-7500-00000000FE01}35043520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001516558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.688{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56025- 354300x80000000000000001516557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.468{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-56573-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001516556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.467{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local56573-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001516555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.467{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49853- 354300x80000000000000001516554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:00.467{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local137netbios-nsfalse10.0.1.15WIN-HOST-542137netbios-ns 10341000x80000000000000001516553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18CA-6154-7500-00000000FE01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18CA-6154-7500-00000000FE01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.594{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18CA-6154-7500-00000000FE01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.595{5EBD8912-18CA-6154-7500-00000000FE01}3504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001516540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.172{5EBD8912-18C9-6154-7400-00000000FE01}36363348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001516539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:59.551{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001516575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.594{5EBD8912-18CB-6154-7600-00000000FE01}38203452C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 644600x80000000000000001516574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:07.030C:\Windows\System32\drivers\ena.sysMD5=C593555FD929A6FA925129109C08FC65,SHA256=5ADD00C93BE0C3E978DA48DED964A54F730B40F98C72D3F6145D79E3BFE8364D,IMPHASH=FB370D8374B216430C11D17F479694B1trueAmazon Web Services, Inc.Valid 10341000x80000000000000001516573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.314{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18CB-6154-7600-00000000FE01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-18CB-6154-7600-00000000FE01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.299{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18CB-6154-7600-00000000FE01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.100{5EBD8912-18CB-6154-7600-00000000FE01}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 644600x80000000000000001516560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:06.607C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 23542300x80000000000000001516616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.969{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=27603451299B5D684F6B69FD5FA00277,SHA256=F90E8FABCDB89EDA769FB287D01283579BF079BE799215CAF8E715A71EB79E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.954{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58C168EE229A43C0BC74AA5B6E0F3BFC,SHA256=942CC03CC3588A58ACA282C5D5F766DAF6033513741A4D120EE3DB7533BFE009,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.954{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D83631466429AEDE90C359FD4CCAD2E,SHA256=AD64791056C522EBDF1B1A867C87E46383C86370AB2D1E28604B669E348FE8E2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18CC-6154-7800-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18CC-6154-7800-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.938{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18CC-6154-7800-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.745{5EBD8912-18CC-6154-7800-00000000FE01}3360C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001516600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.141{5EBD8912-18AC-6154-1200-00000000FE01}452wpad1460-C:\Windows\System32\svchost.exe 23542300x80000000000000001516599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.579{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E1AE1580E81E8A7E67FD9A9CEB21B88B,SHA256=ABB2C764586E3B64438450B2EACB60811B3AF7BD1EC7B9870333DF42014A4F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.563{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=2B51036F5B9CB40B0B45F34F8F23312A,SHA256=7DAC606D7E3478047B66141081AF5DDE7FEF0E5F33A5B40976A09801E23B6174,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.547{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=7949280ED120C0269B4B5030A9FA846B,SHA256=55DD19A75A82174F1451D2F813F7D70C5089C177E7FC3CDAC97C36F5C09AEA01,IMPHASH=00000000000000000000000000000000falsetrue 644600x80000000000000001516596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:28.904C:\Windows\System32\drivers\AWSNVMe.sysMD5=F973CB5B8A3BF93A98EC05CC5ADE2AF2,SHA256=3FF25D39BE1979F3CE802E3A20BE2DDAD80A7E77EBCFC3393AFC1F24B8F38D34,IMPHASH=CD93018539A11565D60D28DF18DCB293trueAmazon Web Services, Inc.Valid 23542300x80000000000000001516595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.532{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=6279C9D07BF40AC58627AF245281978A,SHA256=CFA60EBDBB0C8014395FBAC1084DBD767A374C5CED6C5D7E2ECAD4EF59B605FD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.516{5EBD8912-18CB-6154-7700-00000000FE01}13363076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+577205|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+576d36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+56c09|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+572d6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe+8fe2c4|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.344{5EBD8912-18AC-6154-1400-00000000FE01}9481172C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001516592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:42:04.282{5EBD8912-18AC-6154-1200-00000000FE01}452\W32TIME_ALTC:\Windows\system32\svchost.exe 10341000x80000000000000001516591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.204{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-18CB-6154-7700-00000000FE01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.204{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.204{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.204{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18CB-6154-7700-00000000FE01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.188{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-18CB-6154-7700-00000000FE01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.979{5EBD8912-18CB-6154-7700-00000000FE01}1336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe8.0.2Monitor windows event logssplunk ApplicationSplunk Inc.splunk-winevtlog.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=A735F697C6C533F20D023E4318824194,SHA256=295236CFB06A5F9C1F76EECC468F9A070BFCB5C4E094918059EC86BBB654E119,IMPHASH=85F4904CF3562658E303E53274ABD436{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001516578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.689{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-56025- 354300x80000000000000001516577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:01.470{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-49853- 354300x80000000000000001423093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:03.116{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-36002-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 22542200x80000000000000001516621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.282{5EBD8912-18AC-6154-1400-00000000FE01}948_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001516620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.282{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 23542300x80000000000000001516619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:05.329{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=874DAA89656C93F569BA8A344EF80BC9,SHA256=E2F696D188C1347875FEE4F3C6D0673A712E305C612DF99A5643A35B973AF62E,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001516618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:29.858{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 734700x80000000000000001516617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:45.412{5EBD8912-18B9-6154-2D00-00000000FE01}2460C:\Windows\System32\ismserv.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 354300x80000000000000001423094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:05.229{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-39134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 22542200x80000000000000001516628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.529{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.1460-C:\Windows\System32\lsass.exe 354300x80000000000000001516627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.268{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53810- 354300x80000000000000001516626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.736{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-55723- 354300x80000000000000001516625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.736{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-61160- 354300x80000000000000001516624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:03.278{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27503-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.736{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61160- 354300x80000000000000001516622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:02.736{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55723- 734700x80000000000000001516632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:33.014{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 354300x80000000000000001516631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:05.267{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53810- 354300x80000000000000001516630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:05.238{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:04.515{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53098- 354300x80000000000000001516633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:05.501{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53098- 354300x80000000000000001423095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:08.399{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-43233-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 22542200x80000000000000001516635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:09.755{5EBD8912-18AC-6154-1400-00000000FE01}948isatap.eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 354300x80000000000000001516634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:08.474{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33714-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001516645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:11.923{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000001516644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:42:11.720{5EBD8912-18B9-6154-2B00-00000000FE01}3056\Winsock2\CatalogChangeListener-bf0-0C:\Windows\system32\dns.exe 13241300x80000000000000001516643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:11.720{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exeHKLM\System\CurrentControlSet\Services\DNS\Parameters\PreviousLocalHostnamewin-dc-429.attackrange.local 10341000x80000000000000001516642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.720{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 734700x80000000000000001516641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.673{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001516640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.626{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.626{5EBD8912-18A9-6154-0B00-00000000FE01}640680C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\system32\dns.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001516638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:11.626{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\NTDS\Parameters\Global Catalog Promotion CompleteDWORD (0x00000001) 354300x80000000000000001516637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:09.779{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:09.740{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53461- 354300x80000000000000001516661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.714{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49707-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.713{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49707-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001516659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.699{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61003- 354300x80000000000000001516658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.699{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61003-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001516657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.618{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49706-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.618{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49706-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.617{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49705-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001516654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.617{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49705-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001516653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.615{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49704-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.615{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49704-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.612{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-137netbios-nsfalse10.0.1.14win-dc-429.attackrange.local137netbios-ns 354300x80000000000000001516650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.612{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local137netbios-nsfalse10.0.1.255-137netbios-ns 354300x80000000000000001516649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:10.751{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-53domainfalse127.0.0.1-53461- 354300x80000000000000001516648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:10.219{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263663- 23542300x80000000000000001516647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.219{5EBD8912-18A9-6154-0B00-00000000FE01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=1ED9955C15C95D865A46A537998C900F,SHA256=A28BE6F8BD9359291F4A7F554196F44D63B6A5B945818C2F739AF0C137FB0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.204{5EBD8912-18A9-6154-0B00-00000000FE01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=ED2FC873BE5555059A770D3C2164EC9A,SHA256=A96B8514429A97FF17594F5FE671898D19C7A97472C49B374CC19678E9139805,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.078{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse127.0.0.1-49847-false127.0.0.1-53domain 354300x80000000000000001516664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.074{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local63613-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 22542200x80000000000000001516663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.633{5EBD8912-18B9-6154-2B00-00000000FE01}3056win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001516662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.630{5EBD8912-18A9-6154-0B00-00000000FE01}640WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 354300x80000000000000001423098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.671{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local51369-false10.0.1.14-389- 354300x80000000000000001423097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.645{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-542.attackrange.local63663-false10.0.1.14-53domain 354300x80000000000000001423096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:10.279{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-45858-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 644600x80000000000000001516797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:41:57.435C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\npf.sysMD5=DE7FCC77F4A503AF4CA6A47D49B3713D,SHA256=4BFAA99393F635CD05D91A64DE73EDB5639412C129E049F0FE34F88517A10FC6,IMPHASH=CB86059F4B291991E735BECBD4C669CBtrueRiverbed Technology, Inc.Valid 354300x80000000000000001516796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.191{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50930- 354300x80000000000000001516795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.188{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53986- 354300x80000000000000001516794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.186{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58609- 354300x80000000000000001516793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.186{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54899- 354300x80000000000000001516792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.182{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52573- 354300x80000000000000001516791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.182{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52964- 354300x80000000000000001516790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.181{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50733- 354300x80000000000000001516789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.178{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54101- 354300x80000000000000001516788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.177{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60208- 354300x80000000000000001516787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.176{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53167- 354300x80000000000000001516786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.176{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56069- 354300x80000000000000001516785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.175{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50046- 354300x80000000000000001516784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.174{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52087- 354300x80000000000000001516783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.173{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54875- 354300x80000000000000001516782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.172{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52551- 354300x80000000000000001516781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.170{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52548- 354300x80000000000000001516780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.169{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55539- 354300x80000000000000001516779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.169{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54776- 354300x80000000000000001516778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.168{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56450- 354300x80000000000000001516777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.166{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54688- 354300x80000000000000001516776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.165{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50828- 354300x80000000000000001516775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.164{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local61203- 354300x80000000000000001516774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.162{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53125- 354300x80000000000000001516773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.161{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50949- 354300x80000000000000001516772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.160{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local59130- 354300x80000000000000001516771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.160{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52159- 354300x80000000000000001516770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.159{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51356- 354300x80000000000000001516769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.157{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53602- 354300x80000000000000001516768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.157{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56439- 354300x80000000000000001516767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.156{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55714- 354300x80000000000000001516766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.155{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52278- 354300x80000000000000001516765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.153{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58294- 354300x80000000000000001516764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.153{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55216- 354300x80000000000000001516763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.152{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local59545- 354300x80000000000000001516762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.151{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52066- 354300x80000000000000001516761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.149{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54519- 354300x80000000000000001516760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.148{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58370- 354300x80000000000000001516759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.147{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54740- 354300x80000000000000001516758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.145{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51585- 354300x80000000000000001516757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.145{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54584- 354300x80000000000000001516756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.144{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60175- 354300x80000000000000001516755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.143{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56134- 354300x80000000000000001516754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.143{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50667- 354300x80000000000000001516753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.142{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58499- 354300x80000000000000001516752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.141{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52457- 354300x80000000000000001516751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.141{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54572- 354300x80000000000000001516750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.140{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49918- 354300x80000000000000001516749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.140{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57922- 354300x80000000000000001516748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.139{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59525- 354300x80000000000000001516747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.139{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51092- 354300x80000000000000001516746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.138{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52736- 354300x80000000000000001516745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.138{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58985- 354300x80000000000000001516744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.137{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53435- 354300x80000000000000001516743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.136{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50570- 354300x80000000000000001516742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.135{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60770- 354300x80000000000000001516741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.135{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local50640- 354300x80000000000000001516740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.134{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55419- 354300x80000000000000001516739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.134{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58210- 354300x80000000000000001516738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.134{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local59848- 354300x80000000000000001516737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.131{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58123- 354300x80000000000000001516736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.131{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58012- 354300x80000000000000001516735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.130{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61163- 354300x80000000000000001516734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.129{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55367- 354300x80000000000000001516733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.128{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local49846- 354300x80000000000000001516732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.127{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57678- 354300x80000000000000001516731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.127{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54304- 354300x80000000000000001516730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.127{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57357- 354300x80000000000000001516729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.124{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57804- 354300x80000000000000001516728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.124{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55601- 354300x80000000000000001516727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.123{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local52799- 354300x80000000000000001516726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.123{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50571- 354300x80000000000000001516725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.122{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56431- 354300x80000000000000001516724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.122{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50725- 354300x80000000000000001516723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.121{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55635- 354300x80000000000000001516722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.120{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53479- 354300x80000000000000001516721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.119{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51386- 354300x80000000000000001516720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.117{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53402- 354300x80000000000000001516719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.115{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60211- 354300x80000000000000001516718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.115{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55366- 354300x80000000000000001516717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.108{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54251369- 354300x80000000000000001516716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.108{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61080- 354300x80000000000000001516715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.106{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55562- 354300x80000000000000001516714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.106{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251367- 354300x80000000000000001516713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.104{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60570- 354300x80000000000000001516712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.104{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local65535- 354300x80000000000000001516711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.103{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49942- 354300x80000000000000001516710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.103{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56926- 354300x80000000000000001516709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.101{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57523- 354300x80000000000000001516708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.100{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51741- 354300x80000000000000001516707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.100{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58749- 354300x80000000000000001516706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.099{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-58749-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001516705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.099{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue7f00:1:0:0:9870:8404:84ce:ffff-49846-true7f00:1:0:0:0:0:0:0-53domain 354300x80000000000000001516704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.098{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse127.0.0.1-49846-false127.0.0.1-53domain 354300x80000000000000001516703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.094{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54084- 354300x80000000000000001516702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.094{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-429.attackrange.local54084-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001516701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.087{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49709-false93.184.220.29-80http 354300x80000000000000001516700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.085{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54249547- 354300x80000000000000001516699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.085{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251188- 354300x80000000000000001516698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.081{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51154- 22542200x80000000000000001516697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.213{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.208{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.204{5EBD8912-18A9-6154-0B00-00000000FE01}640ForestDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.200{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.195{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.190{5EBD8912-18A9-6154-0B00-00000000FE01}640DomainDnsZones.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.187{5EBD8912-18A9-6154-0B00-00000000FE01}640_kpasswd._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.182{5EBD8912-18A9-6154-0B00-00000000FE01}640_kpasswd._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.178{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._udp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.174{5EBD8912-18A9-6154-0B00-00000000FE01}640_gc._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.170{5EBD8912-18A9-6154-0B00-00000000FE01}640_gc._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.166{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.162{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.158{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.156{5EBD8912-18A9-6154-0B00-00000000FE01}640_kerberos._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.153{5EBD8912-18A9-6154-0B00-00000000FE01}640gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.151{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.148{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.gc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.144{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.141{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.dc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.137{5EBD8912-18A9-6154-0B00-00000000FE01}64044a19d5f-c868-4426-8454-ab57d4792301._msdcs.attackrange.local.0type: 5 win-dc-429.attackrange.local;C:\Windows\System32\lsass.exe 22542200x80000000000000001516676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.134{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.c17d17ff-578b-48b1-9023-6db0a438f5aa.domains._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.131{5EBD8912-18A9-6154-0B00-00000000FE01}640_msdcs.attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.130{5EBD8912-18A9-6154-0B00-00000000FE01}640_msdcs.attackrange.local.0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.129{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.pdc._msdcs.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.120{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.117{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.attackrange.local.9501type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.116{5EBD8912-18AC-6154-1400-00000000FE01}948_ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001516669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.114{5EBD8912-18A9-6154-0B00-00000000FE01}640attackrange.local.0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.112{5EBD8912-18AC-6154-1400-00000000FE01}948eu-central-1.compute.internal9501-C:\Windows\System32\svchost.exe 22542200x80000000000000001516667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.108{5EBD8912-18A9-6154-0B00-00000000FE01}640attackrange.local.0type: 6 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001516666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:11.924{5EBD8912-18AC-6154-1600-00000000FE01}1272win10.ipv6.microsoft.com.1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001423103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.669{69CF5F33-1898-6154-0B00-00000000FE01}636win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001423102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.668{69CF5F33-1898-6154-0B00-00000000FE01}636_kerberos._tcp.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001423101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.652{69CF5F33-189A-6154-1500-00000000FE01}1056win-dc-429.attackrange.local010.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001423100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.648{69CF5F33-1898-6154-0B00-00000000FE01}636win-dc-429.attackrange.local1460-C:\Windows\System32\lsass.exe 22542200x80000000000000001423099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.646{69CF5F33-1898-6154-0B00-00000000FE01}636_kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 354300x80000000000000001516803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:13.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27127-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:13.623{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-27006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.200{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54056- 354300x80000000000000001516800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.199{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56431- 354300x80000000000000001516799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:12.194{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60870- 22542200x80000000000000001516798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:14.017{5EBD8912-18AC-6154-1100-00000000FE01}444attackrange.local1460-C:\Windows\System32\svchost.exe 10341000x80000000000000001423148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18D7-6154-7100-00000000FE01}2292C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-18D7-6154-7000-00000000FE01}33043308C:\Windows\system32\cmd.exe{69CF5F33-18D7-6154-7100-00000000FE01}2292C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.972{69CF5F33-18D7-6154-7100-00000000FE01}2292C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{69CF5F33-18D7-6154-7000-00000000FE01}3304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000001423136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.953{69CF5F33-18D7-6154-6F00-00000000FE01}31683468C:\Windows\system32\conhost.exe{69CF5F33-18D7-6154-7000-00000000FE01}3304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.953{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18D7-6154-7000-00000000FE01}3304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.937{69CF5F33-18D7-6154-6E00-00000000FE01}25443336C:\Windows\system32\cmd.exe{69CF5F33-18D7-6154-7000-00000000FE01}3304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.949{69CF5F33-18D7-6154-7000-00000000FE01}3304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{69CF5F33-18D7-6154-6E00-00000000FE01}2544C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000001423123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.890{69CF5F33-18D7-6154-6F00-00000000FE01}31683468C:\Windows\system32\conhost.exe{69CF5F33-18D7-6154-6E00-00000000FE01}2544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.843{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18D7-6154-6F00-00000000FE01}3168C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18D7-6154-6E00-00000000FE01}2544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-1100-00000000FE01}9721568C:\Windows\system32\svchost.exe{69CF5F33-18D7-6154-6E00-00000000FE01}2544C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.828{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:13.633{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59551-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:13.255{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-49289-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.699{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49700-false10.0.1.12-8089- 354300x80000000000000001423105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:12.684{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49699-false10.0.1.12-8089- 10341000x80000000000000001423104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.093{69CF5F33-189A-6154-1500-00000000FE01}10561372C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001516807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:14.928{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-31877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:14.391{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54261081- 354300x80000000000000001516805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:14.315{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53704- 354300x80000000000000001516804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:14.212{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41918-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:14.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7309-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:14.713{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:13.734{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1068-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:13.658{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59677-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:16.031{69CF5F33-18D7-6154-6E00-00000000FE01}2544NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=CFB828AF82AA4C6711C39B36109328F0,SHA256=DCF45B579F09E2E259544FAE466FFF7B87D9E1490A866E1F4B482B648039F768,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.968{69CF5F33-18D7-6154-6F00-00000000FE01}31683468C:\Windows\system32\conhost.exe{69CF5F33-18D7-6154-7100-00000000FE01}2292C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 734700x80000000000000001516808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.016{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001423157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:17.553{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-000MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:15.060{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7942-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:14.953{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local137netbios-nsfalse10.0.1.12-137netbios-ns 354300x80000000000000001516820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.011{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49714-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.011{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49714-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.009{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49713-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.009{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49713-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.004{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49712-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.004{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49712-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001516814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.003{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49711-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.003{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49711-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001516812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:16.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-45059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:16.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-36316-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 22542200x80000000000000001516810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.023{5EBD8912-18AC-6154-1600-00000000FE01}1272win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001516809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.018{5EBD8912-18A9-6154-0B00-00000000FE01}640win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\lsass.exe 23542300x80000000000000001423160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:18.551{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:16.310{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14724-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:16.197{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14130-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:18.191{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-45209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:17.114{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-40795-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:17.605{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55085-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:17.502{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20954-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:17.429{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-20486-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:19.253{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-49483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:18.722{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-27280-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:18.583{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-26419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:19.800{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48327-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001423172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:21.957{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000001423171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:21.957{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000001423170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:21.832{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001423169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:21.832{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000001423168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:21.832{69CF5F33-1895-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 354300x80000000000000001423167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:19.809{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-32930-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:19.601{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001516826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.270{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54264767- 354300x80000000000000001516825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:20.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 22542200x80000000000000001423238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.431{69CF5F33-1899-6154-1400-00000000FE01}368win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001423237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.323{69CF5F33-1899-6154-1400-00000000FE01}368wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001423236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.300{69CF5F33-189A-6154-1500-00000000FE01}1056www.msftconnecttest.com0type: 5 v4ncsi.msedge.net;type: 5 ncsi.4-c-0003.c-msedge.net;type: 5 4-c-0003.c-msedge.net;::ffff:13.107.4.52;C:\Windows\System32\svchost.exe 22542200x80000000000000001423235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.299{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001423234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:21.838{69CF5F33-1899-6154-1100-00000000FE01}972win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 354300x80000000000000001423233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:21.028{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-39137-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:19.899{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-33292-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001423231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.676{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001423230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.676{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 17141700x80000000000000001423229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-CreatePipe2021-09-29 07:42:22.661{69CF5F33-189A-6154-1800-00000000FE01}1688\Winsock2\CatalogChangeListener-698-0C:\Windows\system32\svchost.exe 13241300x80000000000000001423228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.661{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000776) 13241300x80000000000000001423227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3cbf4f06-c535-4558-82a8-26f69cfba65e}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001423226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{3cbf4f06-c535-4558-82a8-26f69cfba65e}\LastProbeTimeDWORD (0x615418de) 12241200x80000000000000001423225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000001423224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000001423223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000001423222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000001423221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000001423220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000001423219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000001423218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 12241200x80000000000000001423217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000001423216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000001423215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000001423214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000001423213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000001423212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\BootTime\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 12241200x80000000000000001423211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{941dad9d-7b1a-4354-997b-00cf1aa9b35c} 12241200x80000000000000001423210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{935b7f48-0ede-44dd-9bc2-e00bb635cda3} 12241200x80000000000000001423209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{3697a558-3ed3-49be-a4c1-c1a4448653b4} 12241200x80000000000000001423208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6fdab6b-dcc6-43e3-99ce-7aeca65063a4} 12241200x80000000000000001423207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c42f1cd6-3a95-4ae2-a513-793c3ae610c7} 12241200x80000000000000001423206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2db25e6c-f07a-44f4-b6c8-50a330d2790b} 12241200x80000000000000001423205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{375fb39b-08c6-40f2-bdf2-08fa63f970a2} 12241200x80000000000000001423204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{2dd96961-5757-434f-b617-34e732517c0e} 12241200x80000000000000001423203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{cbfb56db-3c85-4543-9bc2-76ea28cdd74e} 12241200x80000000000000001423202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{13bfd422-6f75-4408-8924-9400ec0cb19c} 12241200x80000000000000001423201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{64e55933-15a5-495d-a928-ccca43d44875} 12241200x80000000000000001423200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{91ffecf0-0a9e-4572-95f1-a7111af86967} 12241200x80000000000000001423199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0ccc96a3-8c5c-45e2-b80e-7e37b16cc1ad} 12241200x80000000000000001423198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{a47525e2-725b-4888-8af1-ba5a60c04f4d} 12241200x80000000000000001423197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c016105c-eb34-4519-a5fd-5f4e4ad4d18e} 734700x80000000000000001423196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.614{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 12241200x80000000000000001423195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{074f7f68-ee10-428a-89d1-ba78f6c327ca} 12241200x80000000000000001423194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0aa7fff8-919f-453c-928c-28a12122ba38} 12241200x80000000000000001423193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{b6b2ca61-fb98-4422-adc2-e7cf56b3680c} 12241200x80000000000000001423192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{5b0cb2e2-ab87-4974-9f1c-2f22a654eeb9} 12241200x80000000000000001423191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{07a24961-a760-4e80-b263-6d275e1b09cb} 12241200x80000000000000001423190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{1165065e-4996-4338-abaf-4b8556b4d431} 12241200x80000000000000001423189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{716b48eb-0a35-4a76-92ab-1d987230d288} 12241200x80000000000000001423188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{be7cbdf4-b192-4aa5-94f8-1fb5c5ee07bc} 12241200x80000000000000001423187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{4d9581d2-aef8-4993-84cd-b986ced80d42} 12241200x80000000000000001423186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c3be01b-fe70-4cc4-89dc-c07996b67e6d} 12241200x80000000000000001423185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{c970a45d-57f9-4e32-a5bd-886a9662641e} 12241200x80000000000000001423184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{12c38916-82ac-4737-8f38-b6957ffebad6} 12241200x80000000000000001423183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{0c41d586-9c19-4e01-9d66-b5b98a97576e} 12241200x80000000000000001423182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{f444c576-6e60-4ea2-9faa-80d57ed12cd2} 12241200x80000000000000001423181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-DeleteValue2021-09-29 07:42:22.629{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\BFE\Parameters\Policy\Persistent\Filter\{dc95b53e-01cf-4058-821d-350b3d0d4676} 10341000x80000000000000001423180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.614{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001423179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.614{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{3CBF4F06-C535-4558-82A8-26F69CFBA65E}\DateLastConnectedBinary Data 10341000x80000000000000001423178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.614{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.614{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.426{69CF5F33-1898-6154-0B00-00000000FE01}636NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.ftlMD5=3B6EA360654F70E0684F0FF337684098,SHA256=2680BC968E5418E2F3DE2DB910AF27C15725D69948A6AF785B6C4BF2CE11680C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001423175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.348{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x00000775) 13241300x80000000000000001423174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.286{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:22.286{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 354300x80000000000000001516832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.736{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259429- 354300x80000000000000001516831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.735{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251530- 354300x80000000000000001516830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.735{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255716- 354300x80000000000000001516829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.735{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258336- 354300x80000000000000001516828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.735{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265216- 354300x80000000000000001516827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.384{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 22542200x80000000000000001423251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.657{69CF5F33-189A-6154-1500-00000000FE01}1056gywrozbi9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001423250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.631{69CF5F33-1899-6154-1100-00000000FE01}972isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001423249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.460{69CF5F33-189A-6154-1500-00000000FE01}1056win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 13241300x80000000000000001423248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:23.786{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 354300x80000000000000001423247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.310{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46155-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.303{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-542.attackrange.local49703-false13.107.4.52-80http 354300x80000000000000001423245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.220{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45704-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:21.988{69CF5F33-1899-6154-1300-00000000FE01}296C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:34af:11d8:f5ff:fef0-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x80000000000000001423243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:21.140{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-39845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001423242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:23.707{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:23.707{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:23.707{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:23.645{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000436) 354300x80000000000000001516847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.974{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54253123- 354300x80000000000000001516846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.974{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258154- 354300x80000000000000001516845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.714{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3930-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.069{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54252584- 354300x80000000000000001516843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.067{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54261259- 354300x80000000000000001516842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.067{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257944- 354300x80000000000000001516841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.050{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249709-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001516840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.036{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249708-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001516839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:22.021{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249707-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001516838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.904{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54259433- 354300x80000000000000001516837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.899{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249706-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001516836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.853{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249705-false10.0.1.14win-dc-429.attackrange.local49672- 354300x80000000000000001516835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.850{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54249704-false10.0.1.14win-dc-429.attackrange.local135epmap 354300x80000000000000001516834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.791{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54259431- 354300x80000000000000001516833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:21.739{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54259430- 22542200x80000000000000001423262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:23.129{69CF5F33-189A-6154-1500-00000000FE01}1056win-host-5421460-C:\Windows\System32\svchost.exe 354300x80000000000000001423261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:23.418{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52077-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.692{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local60967-false40.81.120.44-3544teredo 354300x80000000000000001423259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.612{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49709-false10.0.1.14-88kerberos 354300x80000000000000001423258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.598{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49708-false10.0.1.14-88kerberos 354300x80000000000000001423257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.587{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.583{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49707-false10.0.1.14-88kerberos 354300x80000000000000001423255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.461{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-542.attackrange.local49706-false10.0.1.14-389ldap 354300x80000000000000001423254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.415{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49705-false10.0.1.14-49672- 354300x80000000000000001423253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:22.413{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49704-false10.0.1.14-135epmap 13241300x80000000000000001423252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:24.801{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000437) 23542300x80000000000000001516855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.959{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0011E9271F72DC74EB1F66ACFC4680D,SHA256=A800FEFCCA50004DF3CF0C029F85D80574F78E1E3D8F36E68AF655F1C425AF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A02E61E7E4171B7831EB10F67733FDD1,SHA256=7355BC0B693AC83DB9B2C76CF5A9659B5445F2996D6C2AAA112586A3EC38585A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.787{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=90D3AC6250F14AACEE3ED161B34B36AC,SHA256=C4D3E8A42FE1ECF874A6067F7219653DDABDDF9BF1A527E04306CCA701A32642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.772{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A02E61E7E4171B7831EB10F67733FDD1,SHA256=7355BC0B693AC83DB9B2C76CF5A9659B5445F2996D6C2AAA112586A3EC38585A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.772{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=DDFBD02B816D3F9D69B33DA9C4C81431,SHA256=3C06BDBD6D40B633A42E3FAB6E6D0AD12602903DA9C4558A716110AAA846C9B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.772{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DNS ServerMD5=26B1474248E4DBA0A59AD938BAF95C33,SHA256=F4A25653812B49215795EFF25BF874D7B54015D672134BA534039E4894D630C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.772{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5985E7C971BD5DB3F746C0A8501AD9F,SHA256=9BFC9798D3A273F4214BF24345F14951EFDC0EB309F63169529FC902291ACB37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.772{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=617A9968082DF956F324B098F3667C2B,SHA256=207EB90C2D1030E1068D29A95CB90B8E4086B6894FFBDC4AD657872A139B0756,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.879{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.879{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.879{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:24.527{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-57841-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001423284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.801{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.801{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.801{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.739{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.739{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.739{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001423278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.645{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.645{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001423276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.348{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0x8babfa3e) 13241300x80000000000000001423275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001423274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001423273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001423272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001423271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001423270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001423269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001423268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001423267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001423266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001423265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001423264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001423263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:25.301{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 22542200x80000000000000001423318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.605{69CF5F33-189A-6154-1900-00000000FE01}1804WIN-HOST-5420fe80::e060:eede:318:987a;::ffff:10.0.1.15;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001423317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.306{69CF5F33-189A-6154-1500-00000000FE01}1056win-host-542.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 10341000x80000000000000001423316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.922{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1900-00000000FE01}1804C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001516858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:26.053{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84151C238338A4FA77C600F70C537E56,SHA256=C7154434E2A0FE0B92F73B14C2994F5BD85B735231F284F028EEB3B6E2776478,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.335{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001423307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.334{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-542.attackrange.local123ntpfalse10.0.1.14-123ntp 354300x80000000000000001516857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:23.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8194-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:23.397{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-53150-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:24.738{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local60967-false40.81.120.45-65444- 13241300x80000000000000001423305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.650{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x00000438) 10341000x80000000000000001423304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.575{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.575{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.560{69CF5F33-189A-6154-1500-00000000FE01}10562568C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.439{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9419D2BD4EDD9B97D9101BA1E1E3C9D1,SHA256=AEFC8404102431A7DA43106B1D64C902A703800C5BC2758E24E97B9F8D56B996,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.424{69CF5F33-189A-6154-1500-00000000FE01}10562568C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=73810E7D882A50AF8571573600270A24,SHA256=C1D9EC80BCDB27BE86E739F1AAD2C3CD7AB87D8CEC6DF2FC69881BFB048A058F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001423298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.301{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001423297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.301{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000130bf) 13241300x80000000000000001423296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.301{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b487-0x109a6d82) 13241300x80000000000000001423295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.301{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b505-0x8babfa3e) 13241300x80000000000000001423294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:26.301{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b583-0x462e123e) 23542300x80000000000000001423293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.286{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3213027084E86B8FE9CF375DFFA08231,SHA256=4129F7FB276DEEB9443640D5177FE82805E87595E10C8711C726705AA0EFB779,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.286{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A368A1EE7738BF64073EC37AF771A6AB,SHA256=5998706614F29039340B03B009923ECD7CAEFA9080D72EEE21FB08A0AE921B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CFAFDF727017C6CC8E3D61F8755FADF8,SHA256=3CA4F2C1BD163A6449ED0AA298771BADB6B5E0FFB981737937AAD5D2DCB7EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.145{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CFAFDF727017C6CC8E3D61F8755FADF8,SHA256=3CA4F2C1BD163A6449ED0AA298771BADB6B5E0FFB981737937AAD5D2DCB7EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.129{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CC39A0D3C578BE1ED7F0B4B21769AFBB,SHA256=6F963FE43E31104433896DE4E7DC4382D91E09815F1ED432C2ADB2E2FB148ACF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.980{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.980{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.980{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.965{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.949{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.949{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.949{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.934{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.934{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.934{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.919{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.919{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.919{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.904{69CF5F33-18E3-6154-7300-00000000FE01}2336428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001423405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.904{69CF5F33-18E3-6154-7300-00000000FE01}2336428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 354300x80000000000000001423404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.173{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49712-false52.152.110.14-443https 354300x80000000000000001423403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.943{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49711-false10.0.1.12-9997- 354300x80000000000000001423402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.917{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:25.822{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-6990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001423400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.768{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-18E3-6154-7300-00000000FE01}2336C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18E3-6154-7300-00000000FE01}2336C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-18E3-6154-7300-00000000FE01}2336C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.753{69CF5F33-18E3-6154-7300-00000000FE01}2336C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001423387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.723{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.692{69CF5F33-1898-6154-0A00-00000000FE01}628928C:\Windows\system32\services.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.677{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.678{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001423373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.662{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.662{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.662{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.662{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.647{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.647{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.647{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.647{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.647{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.632{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.617{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.450{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.435{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.420{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.420{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.420{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.405{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.405{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.405{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.390{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.314{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.314{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.314{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.299{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.284{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001516868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.147{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A075A91A17E3C0B3DE6B425BE51F3A6,SHA256=443EB86EF720983364F0DC16A6CE843BE66309E4835F1ED045A426D43DD01622,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.249{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.962{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.772{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54260066- 354300x80000000000000001516864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.772{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse10.0.1.15WIN-HOST-542123ntp 354300x80000000000000001516863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.771{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251120- 354300x80000000000000001516862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.744{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257844- 354300x80000000000000001516861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.742{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54264449- 354300x80000000000000001516860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.662{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54255818- 354300x80000000000000001516859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:24.177{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255817- 22542200x80000000000000001423472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.942{69CF5F33-189A-6154-1900-00000000FE01}1804WIN-HOST-5420fe80::e060:eede:318:987a;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001423471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:26.942{69CF5F33-189A-6154-1900-00000000FE01}1804WIN-HOST-542010.0.1.15;C:\Windows\System32\spoolsv.exe 13241300x80000000000000001423470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.676{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001423469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.676{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 10341000x80000000000000001423468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.586{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001423456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.479{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001423455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.479{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00013989) 13241300x80000000000000001423454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.479{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b4fd-0x2b94b8ff) 13241300x80000000000000001423453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.479{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b505-0x8d5920ff) 13241300x80000000000000001423452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.479{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b50d-0xef1d88ff) 10341000x80000000000000001423451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18E4-6154-7400-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18E4-6154-7400-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.388{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18E4-6154-7400-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.389{69CF5F33-18E4-6154-7400-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001423438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001423437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001423436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001423435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001423434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001423433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001423432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001423431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001423430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001423429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001423428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001423427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001423426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:28.252{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001423425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.146{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5D58034C44A0E8F93AB1A86F19BDFA24,SHA256=C437130AA0F93E7AE55A93030466A4CB74FFEB4DEDF187FF14DACF12DD463557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:28.225{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04C647D84AE809A5AD10CB8DA6DF3264,SHA256=879C3424F2EA7D4F673FB7191F727D38FAD38733C6AD0A9C835E35F35946DE1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:26.236{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259162- 354300x80000000000000001516872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:26.236{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54260476- 354300x80000000000000001516871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:26.085{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-17430-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.681{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49717-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal9997- 354300x80000000000000001516869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:25.488{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251896- 10341000x80000000000000001423498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.419{69CF5F33-18E5-6154-7500-00000000FE01}92984C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18E5-6154-7500-00000000FE01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18E5-6154-7500-00000000FE01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18E5-6154-7500-00000000FE01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.237{69CF5F33-18E5-6154-7500-00000000FE01}92C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001423484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.085{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001516880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:29.287{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B27B84923284236F48FC0A4F3F776233,SHA256=665C6A289660ED20698635C478CA49C2FF261F7C4EFB1E456A6398326A705E41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.758{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255965- 354300x80000000000000001516878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.757{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54256070- 354300x80000000000000001516877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.622{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54260617- 354300x80000000000000001516876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.271{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255539- 354300x80000000000000001516875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:27.149{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:29.636{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25330-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.307{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49714-false52.238.248.3-443https 354300x80000000000000001423514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:28.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.817{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-10413-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:27.106{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001423511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18E6-6154-7600-00000000FE01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18E6-6154-7600-00000000FE01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.011{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18E6-6154-7600-00000000FE01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.012{69CF5F33-18E6-6154-7600-00000000FE01}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001516884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:30.397{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA26FEB4576754A4D18C2B5BAD0E030,SHA256=DB7F919FB5B5F227583CFA04276739B0DEEB8DD2D530F62CCCAA2E82FC2707EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:28.227{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:28.101{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54253790- 354300x80000000000000001516881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:28.099{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257864- 10341000x80000000000000001423605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.898{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.883{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.868{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.868{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.868{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.868{69CF5F33-18E3-6154-7300-00000000FE01}2336428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001423586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.868{69CF5F33-18E3-6154-7300-00000000FE01}2336428C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe{69CF5F33-18E3-6154-7200-00000000FE01}3456C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001423585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.852{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.837{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.730{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.715{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.700{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.685{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.685{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.685{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.669{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.654{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.639{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.624{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.624{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.624{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.624{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.609{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.609{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.609{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.609{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.609{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC8DBC2ECA7D0983C69D5E1482E3C4FF,SHA256=4D9D50F97470133508E7F4B22C648D26B4DB8E44F6786C50EBB5F745430D299A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.593{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC8DBC2ECA7D0983C69D5E1482E3C4FF,SHA256=4D9D50F97470133508E7F4B22C648D26B4DB8E44F6786C50EBB5F745430D299A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.593{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3213027084E86B8FE9CF375DFFA08231,SHA256=4129F7FB276DEEB9443640D5177FE82805E87595E10C8711C726705AA0EFB779,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.395{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.395{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001423529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001423528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001423527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001423526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\FlagsDWORD (0x00000002) 13241300x80000000000000001423525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\TtlDWORD (0x000004b0) 13241300x80000000000000001423524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentPriUpdateToIpBinary Data 13241300x80000000000000001423523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\SentUpdateToIpBinary Data 13241300x80000000000000001423522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\DnsServersBinary Data 13241300x80000000000000001423521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\HostAddrsBinary Data 13241300x80000000000000001423520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\PrimaryDomainNameattackrange.local 13241300x80000000000000001423519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\AdapterDomainName(Empty) 13241300x80000000000000001423518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\Hostnamewin-host-542 13241300x80000000000000001423517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:31.182{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{A4D02FEC-9CCE-49E7-8A81-FD08FF1EDCB1}\RegisteredSinceBootDWORD (0x00000001) 23542300x80000000000000001516889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:31.506{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9DE9C048CC46DBDA1104E3D6DE15090,SHA256=91E47313C9073581C75270BC05D9C425BB02CC64D7C8F5F9F9BF3411689ECB43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:31.490{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE604B3ACF03E2A2DD8D10D695052769,SHA256=F836B6503B08113B1D383F739F1EDC062BAF4E023767294412F6B4F42E29044F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:31.272{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDE9F42E557468A36B20564083A9C511,SHA256=7619277CCB76FCDC5EE9ACF110728B40A897B5E04097ADC87A94B0BE610F334D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:29.489{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257198- 354300x80000000000000001516885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:29.324{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.591{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44820-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.505{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44626-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.800{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:30.714{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001516892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.553{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B73BAE4714834CF32CD26C53F6132FC,SHA256=7C0054CA158CDB1CE648BDD349388A8568C2C86A0C67E83721BFABF11B740788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.506{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89F9AB8B8E7FB856AAE529A50ACC417,SHA256=2A600120E76B1A329A3A539E9511EC00738475AA902EEB7FCC51F355048B7BB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:29.609{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1824-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:32.990{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42702-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:32.879{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-51912-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:32.314{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49715-false52.238.248.3-443https 354300x80000000000000001423610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:31.846{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001516943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.662{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F0DB8CD8BCEBF2456FEFA75E21CD3D6,SHA256=5BEF82D91453AB30498BC7328009ED8C0F1927ADD0106619E12C8CDACF6821E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.600{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18920773B4633607EEC53EBED17684FB,SHA256=D673F255581670D269F806E273C9D35FCE2B73DE357F7CDA88A9F8B594238270,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.600{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B174BEE4A40A893C210D9BB520A1C8D6,SHA256=1897EABBDCD1733EC6B4FA45F6C2E55F0B33D397038F01473162C852F3C51C81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.553{5EBD8912-18E9-6154-7900-00000000FE01}588NT AUTHORITY\SYSTEMC:\Windows\system32\cmd.exeC:\Windows\Temp\silconfig.logMD5=9738B794DD64FE2CB6AE12D6CD5B5E6C,SHA256=A9ED641EA4281C9FF23AAFAF6EF9DFE887D63576A0419F244264D906D42EA987,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.522{5EBD8912-18E9-6154-7A00-00000000FE01}6483276C:\Windows\system32\conhost.exe{5EBD8912-18E9-6154-7C00-00000000FE01}3304C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18E9-6154-7C00-00000000FE01}3304C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.506{5EBD8912-18E9-6154-7B00-00000000FE01}13163148C:\Windows\system32\cmd.exe{5EBD8912-18E9-6154-7C00-00000000FE01}3304C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.516{5EBD8912-18E9-6154-7C00-00000000FE01}3304C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exeC:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{5EBD8912-18E9-6154-7B00-00000000FE01}1316C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64 10341000x80000000000000001516926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18E9-6154-7A00-00000000FE01}6483276C:\Windows\system32\conhost.exe{5EBD8912-18E9-6154-7B00-00000000FE01}1316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18E9-6154-7B00-00000000FE01}1316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.490{5EBD8912-18E9-6154-7900-00000000FE01}5882848C:\Windows\system32\cmd.exe{5EBD8912-18E9-6154-7B00-00000000FE01}1316C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\msvcrt.dll+4ba7c|C:\Windows\system32\cmd.exe+103c4|C:\Windows\system32\cmd.exe+10910|C:\Windows\system32\cmd.exe+c36d|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001516914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.500{5EBD8912-18E9-6154-7B00-00000000FE01}1316C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c C:\Windows\system32\reg.exe query hklm\software\microsoft\windows\softwareinventorylogging /v collectionstate /reg:64C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-18E9-6154-7900-00000000FE01}588C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /d /c C:\Windows\system32\silcollector.cmd configure 10341000x80000000000000001516913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.476{5EBD8912-18E9-6154-7A00-00000000FE01}6483276C:\Windows\system32\conhost.exe{5EBD8912-18E9-6154-7900-00000000FE01}588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18E9-6154-7A00-00000000FE01}648C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-18E9-6154-7900-00000000FE01}588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001516901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AC-6154-1600-00000000FE01}12721156C:\Windows\system32\svchost.exe{5EBD8912-18E9-6154-7900-00000000FE01}588C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.459{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001516898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.162{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3B606092BCC199D1796D0A136FE4331,SHA256=D04F8E9937F3EF8F35F92924794317B902B127F92D950463C2270100BD23FA5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.162{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B9CDB6252D17D528A0D6AA16C0F8DC1D,SHA256=3DB49A53A3A411301E1526A81AE1955B0EAFA6D962FD165374F77CB987221F33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:31.494{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:30.778{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258050- 354300x80000000000000001516894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:30.774{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263093- 354300x80000000000000001516893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:30.418{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-35235-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.403{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\Logs\WindowsUpdate\WindowsUpdate.20201209.064301.566.1.etlMD5=97D0F78187202C68CE6368D69F7BC05F,SHA256=645283592247E03F2CFA1A43D97C6BE88B27B612AD29B268EC3FC75320003838,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.959{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D08A84305956A0AFC84C3DC56C8A8513,SHA256=3FEA148679DE4D995BBF6D4171126556422E8AC5B39B308781606786D0DB123F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001516948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.709{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73597A3B36A48266EDBFDCB57CEBACF,SHA256=75771D46FA26F3014B4EAE9121CF0247A07CB066EB598FE3A3D55FB753E37743,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.955{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49720-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001516946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.940{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49719-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001516945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-43902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001516944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:32.554{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54260740- 354300x80000000000000001423616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.086{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:33.164{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-17066-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001516951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:35.928{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74AA0F305683B067CB330471DF21094,SHA256=0582E47572C165C6F67EC96B1D34888C70CEC95E67963893A2FF6903EB0D89AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001516950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:33.774{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001423618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.799{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49717-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001423617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.214{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58206-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 734700x80000000000000001517002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.616{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeC:\Windows\System32\NetSetupSvc.dll10.0.14393.4467 (rs1_release.210604-1844)Network Setup ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationNETSETUPSVC.DLLMD5=9DFC2E95D31B43B2833D3760C7E00A4B,SHA256=894FB2AC7BA15C6CCDBC62480B27A01A8FAE5B55E13D537251986D87B5A12483,IMPHASH=14F8BB5E943EA23F79CC3EC6B8C493FBtrueMicrosoft WindowsValid 23542300x80000000000000001517001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.553{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\WindowsUpdate.logMD5=038356387332650843BCB352BB89A101,SHA256=492C9B102256321FB5598FF87ED5BCCAB8159F36DD8416CE4011FFBF5E96048D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.506{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F194489212429F078C66528D8797F9,SHA256=0ED937EC6F0BE271614463B0BAFB3DB5358366B69F61087C96E6FF98EDBF84EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001516996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AC-6154-1600-00000000FE01}12721820C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AC-6154-1600-00000000FE01}12721820C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001516981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B3B606092BCC199D1796D0A136FE4331,SHA256=D04F8E9937F3EF8F35F92924794317B902B127F92D950463C2270100BD23FA5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001516980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.444{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0900-00000000FE01}580C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.428{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.428{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.428{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.334{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001516957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001516956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.319{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001516955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.242{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263244- 354300x80000000000000001516954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.233{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255810- 354300x80000000000000001516953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.175{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-8062-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001516952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.037{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FC3A6B3E1084CD2132E24EA657C927,SHA256=E174908D1BACB76FF24F7839F7365AC8A78B83A139D7254AB59EB5764CF1F5B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:35.199{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54636-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.833{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49719-false104.109.93.180a104-109-93-180.deploy.static.akamaitechnologies.com80http 354300x80000000000000001423619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:34.816{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49718-false20.86.173.234-80http 22542200x80000000000000001517012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:35.555{5EBD8912-18AC-6154-1100-00000000FE01}444win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000001517011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9258803EFAA9EC80A52D040BD9BB3EAD,SHA256=1DCED91052143D6CC50041647F9BCEFCB78FC4D2AE0B537FE20411AD6036D1A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=90D3AC6250F14AACEE3ED161B34B36AC,SHA256=C4D3E8A42FE1ECF874A6067F7219653DDABDDF9BF1A527E04306CCA701A32642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.055{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57679-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:35.614{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54253456- 354300x80000000000000001517007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:35.543{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49721-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:35.543{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49721-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:34.962{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53476-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.162{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EC563BBC58EBCE3145304EDB0077152,SHA256=C0E55C95A8221E10405A15176AAF319DB99BE2409ADBE5C5DD3E090127069B8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE08365587EA5F0BB77E0C104ADBCE80,SHA256=4D817DE9BCC9638FDD49AB7FB0C00CD8AF9AFD5ECAC6A616918D502879B02348,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:36.276{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1344-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:35.487{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-6804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:38.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE0CD30C8FC9D9F90D0103F509A6A6D3,SHA256=A324D60388B8999C8FEB7849F14E54496676061F50BA7CDBFE7E989F69396512,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.646{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54255549- 354300x80000000000000001517017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.326{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local49724-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.326{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49724-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.315{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49723-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001517014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.315{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49723-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001517013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:38.053{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB8308E947AADE55CC02D7614249436,SHA256=1393017F0AF1B852D5597D15C31C8C6F50B2802F4DC1C6DC712F87076543BC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:37.988{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-20655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:37.383{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:36.738{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-13987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:39.303{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DADF563FFC503A6E53FE949A82DE4555,SHA256=D431E6CC789C6AE91A98DF3A354A119B1D550C02001ACFF57581715F2AA74451,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.165{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:36.964{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11344-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:39.053{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B564F12C8BDAFC3342B6E533ED9E6BAC,SHA256=0816743595C577523A791BFF523FA051999C7A27E072D60F94071B69D04B2F67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:38.604{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23743-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:38.604{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13573-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:40.475{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C61E1FCE37E5AB3094756F95B9E6869,SHA256=39F959F3B6F66F0F0E3F4E9C133ECC1501E669B14206EFAE2E6BB48139EBEC59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:39.002{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:38.302{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49726-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:38.243{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7262-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.770{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49725-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:37.226{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49722-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:40.053{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED60C2E0F6A869B0B71754E6CF3A763B,SHA256=840220853BDA13AD69EB0298DA0E8836018542812AB23C725D66D3BB4C6F7A30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:40.408{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49722-false10.0.1.12-8000- 354300x80000000000000001423633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:39.908{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49721-false10.0.1.12-8000- 354300x80000000000000001423632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:39.715{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19768-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:39.395{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49720-false10.0.1.12-8000- 354300x80000000000000001423630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:39.238{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26906-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001423629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:42:41.039{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0x950638a2) 23542300x80000000000000001517033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:41.597{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9F23C6D8FD206FA20E9FCAE92DB0F83,SHA256=8D0AF4DF9A6BC2FC08ED11BE0693492BFFC31828F842A5BB18814D50525E926D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:39.377{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-11644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:41.066{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEE8A7AE49D0DFB9FC6735453658AB42,SHA256=02DAE0C54EDD26F40CD157C44BFE3F8E866DDA9791C45B3877FA59495D77C4C5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:41.262{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26947-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:40.826{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:40.488{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:42.722{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25BDBE31391E175E2E1CEB7C395C6513,SHA256=E979BAA24FBAEAB49BCDB08903BCE496A8B051030DF6CE59F023ABEEE930435B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:42.097{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19671D9D6E3C1696B4982CAFC39CA46D,SHA256=0E8ED95F26C5E1308F629BA09AF784B41D8C06C33BC41688DE2C446C5E1E828D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.976{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FF5B94F6A7180AA770E20AD24822876,SHA256=BE112A0203CE43F1E9D9C3496DDA60F53563757129508CC01FD9F13989E4CE80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.687{69CF5F33-18F3-6154-7700-00000000FE01}26322636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.670{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212FD385C583D3639E814B6643A35492,SHA256=C223AA02AE5B9C3DA18A6A80511921BAF9A71B9BE7346D2BA6DEB9EC9D99FED3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:41.965{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31565-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:41.742{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-40564-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.541{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09825555832B69B76097F1DAB6BCF59A,SHA256=D3AFD00C61370532B8B9E73C56B274AC3EACE87F9FABC5B9EDE536DCC79B5628,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.493{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17398FD35E111436D27AAB840E984EC,SHA256=699699D45A903323FAC923F795DE3C305DC51DD31FF907370A3E1F20F6DDA41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=602335DD135CB1ADBF5494952E1C7164,SHA256=83F57914B2452F535EAFA331AAF5CC6F0D1C8EF12D0BCDB18406C74907BCB531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A17398FD35E111436D27AAB840E984EC,SHA256=699699D45A903323FAC923F795DE3C305DC51DD31FF907370A3E1F20F6DDA41F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00943F7042EF68455A7E596315BEBE2A,SHA256=3A27172C47A79637E2CC0CF54B1B875C0B8AE42FF4489F5FB2A920A43B6FF60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5FC81D9285421E9B97D3724EDFA5E843,SHA256=A3CD5746F864A4942733FCC8844E8A352BCB1BB29306AE4B51A04E779BAD778E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAB3B119848BA2C85EAD69AF398D2A01,SHA256=305463275A0B4E4449CCCCDDC13F1F0BFF54378D68CD27782DC9E945A292DCCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18F3-6154-7700-00000000FE01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18F3-6154-7700-00000000FE01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.445{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18F3-6154-7700-00000000FE01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.448{69CF5F33-18F3-6154-7700-00000000FE01}2632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:43.831{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=81E5EA7B71A7B83C2CBE9F5A55CC20FB,SHA256=E0BB4B159A7AEEA10CF004D748D27CF8DBE67E18C595ABAD4BA9C99F03ACAD7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:41.802{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17616-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:41.611{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:40.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-16236-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:43.144{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEE39FF165C5F4FE48620A7129382A59,SHA256=FED84DC0F27355102C50C91978EE9EBD55FD76CCA444E05B078D7710ED0440B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18F4-6154-7900-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-18F4-6154-7900-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.925{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18F4-6154-7900-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.927{69CF5F33-18F4-6154-7900-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001423679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.732{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA451D470BE3EF4966E8BB95BDA9E2E5,SHA256=04EE6F85B4E1473BDCD44AFBB3FBB23438833B70C0D60808CA21450BC32A0AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.475{69CF5F33-18F4-6154-7800-00000000FE01}27803172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.340{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-47227-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.126{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-37552-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001423675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18F4-6154-7800-00000000FE01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-18F4-6154-7800-00000000FE01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.282{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18F4-6154-7800-00000000FE01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.284{69CF5F33-18F4-6154-7800-00000000FE01}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:44.910{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B34BAD41FC7FB2D398007641130B068,SHA256=7928230DB1DB8332B0FAC412399799263691312285DCBF4AEFE30C8D81081EE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:42.739{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25450-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:42.036{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49727-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:44.255{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DE024146B3931D68CFC73039744ECA9,SHA256=FAC8C4197FC7D427154C15A4FE627D5C266E70C6FD59FEF933054BB309AF2FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.493{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49723-false10.0.1.12-8000- 354300x80000000000000001423709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.245{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43671-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:43.878{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-30439-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001423707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-18F5-6154-7A00-00000000FE01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-18F5-6154-7A00-00000000FE01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.439{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-18F5-6154-7A00-00000000FE01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.440{69CF5F33-18F5-6154-7A00-00000000FE01}1076C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001423694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.214{69CF5F33-18F4-6154-7900-00000000FE01}3960756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.150{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24D72E0FB6B7851487A1F93B7F537C94,SHA256=1D6988B096516FF6E07EBCECA8E3AF0B0C2FBD082A61CAB7F3DB760810E1D6DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:45.988{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84375663E14FCE8796FD5FCC22A6BE74,SHA256=ACB02D009DFFE824D8C32E0A0F1B4E2408A5AE1797D13D8C40344810E387F12C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:43.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:45.269{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63C0C7A1B5412D5E9010516DDD5E635,SHA256=31E061E5240198CAFDB4A648F421A0228C36B90E37123F1A16D4ECDB7C8CCA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:46.456{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52157618CC5845B798C1974C740130E2,SHA256=9AEBF00BACCD6CC628CB9806E64C6E4C4A0A7580E3C6851170809E5E858AC925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:46.456{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9258803EFAA9EC80A52D040BD9BB3EAD,SHA256=1DCED91052143D6CC50041647F9BCEFCB78FC4D2AE0B537FE20411AD6036D1A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:44.913{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:44.842{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:46.269{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F1E63D21137E6F046AB322FB956EC7,SHA256=0C4703DD8688FF69EA3BDF42AC4999C63800D9942E3F1BF7B25612F89C20B55B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.347{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-49683-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:45.271{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49724-false10.0.1.12-8000- 354300x80000000000000001423713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:44.614{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-54593-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:46.322{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=992B6591ECB9D0C24B4DCC6760ED624A,SHA256=F3416DBC795DFC07168358802EBB16982D3601BFFF5FCED6CC1E77DF11E40DAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:46.322{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6F11B31DDEB3E5DC2F7DC836E43C6AB,SHA256=29E28E894F6CEF6017B4354A2E525B7888BE2A236719566612DD801AD17CF545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.911{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.911{5EBD8912-18A9-6154-0B00-00000000FE01}640848C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001517061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:47.899{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000001) 13241300x80000000000000001517060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:47.899{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{b4aceb91-3521-4f28-a5f8-434384469e9a}\Dhcpv6StateDWORD (0x00000000) 13241300x80000000000000001517059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:47.849{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001517058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:47.849{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\CountDWORD (0x00000002) 13241300x80000000000000001517057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:47.849{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\tunnel\Enum\1SWD\IP_TUNNEL_VBUS\Teredo_Tunnel_Device 23542300x80000000000000001517056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.617{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-000MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:45.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-38762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.285{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3CE4FC26C051058C81E5218F76B282B,SHA256=87D2D56441BBCC734B4248F6BB2F2DFCF5BDF978645FC33A343AFEA6F403ECCD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:46.445{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-55352-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:46.194{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-3695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:47.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E6C376D8A273973D92BFD07278F0EBA,SHA256=1CD1774812B424E3AAF6A1FCF325043293A388139AF6F0F052BC184A6FD93830,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:47.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AE13555A47FD5B8B77447480D67902,SHA256=72136BA2A6FBAC49D5FFE2D3191232BFF754C3C9FB2DBFCF12AA074A97032657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.066{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73293D141198A90547EE8CEF0FF1FDB4,SHA256=9AA1E193B94268120EE95DAEAE4A085A00FFDDD00A7D8523AEB424E410D15CA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:47.620{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:47.456{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-10011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:47.023{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse209.124.239.182ip-209-124-239-182.static.eatel.net62924-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:46.847{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-34473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:48.498{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F7658AF296503924DAC8CDDEED2AC1A,SHA256=BD49E4FE8B09982D8C89DFD67EDEE522EC38BA4CFF13AE46E9AE276DE879D313,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:48.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435B5F0B5D4C508FCD7FE83D2E5BCEBF,SHA256=98352706DE3BE430E790D7A3C9BB88733EC430CD701DBA1FF509DBC4810DE808,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=52157618CC5845B798C1974C740130E2,SHA256=9AEBF00BACCD6CC628CB9806E64C6E4C4A0A7580E3C6851170809E5E858AC925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.848{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61224-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local61224- 354300x80000000000000001517083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.834{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56701- 22542200x80000000000000001517082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.071{5EBD8912-18AC-6154-1400-00000000FE01}948eu-central-1.compute.internal1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001517081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.070{5EBD8912-18AC-6154-1400-00000000FE01}948vaxneyfe1460-C:\Windows\System32\svchost.exe 22542200x80000000000000001517080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.966{5EBD8912-18AC-6154-1400-00000000FE01}948win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;fe80::1006:53c:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001517079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.913{5EBD8912-18AC-6154-1100-00000000FE01}444win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;fe80::1006:53c:f5ff:fef1;::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 22542200x80000000000000001517078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.851{5EBD8912-18AC-6154-1600-00000000FE01}1272win10.ipv6.microsoft.com.0type: 5 onpremwindows.ipv6.microsoft.com.akadns.net;type: 5 trdovmssukwest.ipv6.microsoft.com.akadns.net;40.81.120.44;C:\Windows\System32\svchost.exe 354300x80000000000000001517077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.462{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.616{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-001MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.427{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0x996d84bb) 13241300x80000000000000001517074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.411{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch\EpochDWORD (0x000007b2) 354300x80000000000000001517073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.114{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local49728-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.083{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-43219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.317{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=324646B1B3F6D412BDD805A82B1C4409,SHA256=F14A91CCEA85E318FABB31720D979E84376631688C275C5FA3D133FA4F7CC019,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.286{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001517069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.286{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 23542300x80000000000000001517068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.130{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BC61E8C2F8010B67D832794BDD9131B,SHA256=20F704C2D49E57825EEA02787F32D5C00F6AADF7532EFDA258375C4BF4D96359,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.067{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{97a9d540-17d1-423c-a727-394f22c703af}\NetworkPerformsHijackingDWORD (0x00000000) 13241300x80000000000000001517066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.067{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Dnscache\Parameters\Probe\{97a9d540-17d1-423c-a727-394f22c703af}\LastProbeTimeDWORD (0x615418f8) 13241300x80000000000000001517065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:48.067{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{97A9D540-17D1-423C-A727-394F22C703AF}\DateLastConnectedBinary Data 734700x80000000000000001517064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.005{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001423727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:49.727{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6945E44F49A325C513EBD7FB78D8032A,SHA256=68B92EAEE2324873889D15003EF0FDA27670D6ED2743DB79005E8FE4760C0FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:49.440{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EFBAAA6A7AF457CFBD06B77F780416,SHA256=A465D95487F59B953FDE71F9061EC921FC965B28E35EE16CED7F3516D993E7DC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001517100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.072{5EBD8912-18AC-6154-1600-00000000FE01}1272isatap.eu-central-1.compute.internal9003-C:\Windows\System32\svchost.exe 354300x80000000000000001517099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.281{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53467- 354300x80000000000000001517098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.281{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57723- 354300x80000000000000001517097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.276{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51065- 354300x80000000000000001517096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.160{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.074{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59726- 354300x80000000000000001517094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.056{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56237- 354300x80000000000000001517093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.952{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local49730-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.952{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local49730-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.912{5EBD8912-18AC-6154-1100-00000000FE01}444C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:1006:53c:f5ff:fef1-546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 23542300x80000000000000001517090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:49.318{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91359A24066C99AF09313E07F8A9E49C,SHA256=F4D50070E46503DB2708F045938C2FEA52FDA6230B0210FCE477C0855CFF6945,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:49.287{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043c) 23542300x80000000000000001517088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:49.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6582B80F25F6099DC5AFA4568B0B80C3,SHA256=5D99CCD392DF77C1F118CCC6FE3676E0A9FE4B660C081C0CF9675B7FF140BF78,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.901{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49729-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:47.901{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49729-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 22542200x80000000000000001517108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:49.128{5EBD8912-18AC-6154-1400-00000000FE01}948win-dc-4291460-C:\Windows\System32\svchost.exe 22542200x80000000000000001517107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.297{5EBD8912-18AC-6154-1200-00000000FE01}452wpad9003-C:\Windows\System32\svchost.exe 22542200x80000000000000001517106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.292{5EBD8912-18A9-6154-0B00-00000000FE01}640_ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 23542300x80000000000000001517105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:50.465{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B40A2ACBB49BAB7B5173200F53AE742,SHA256=508398F759FDDA4AB66CC549F4F7F3B50FEBCE97F09CA520D84DDEFAA3D1AF5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:50.875{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FCF6A2920414A590CECA3AC6134EB0B,SHA256=834A17AF0E6FC32D562AB89DDD1951DC51AB07A1C7C4949C46F22387D73F148E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:50.477{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233FA10762945B9DD80CE73C5AB47E22,SHA256=2F3A87B1433F789D382D03CF0CF12B1A3C31DEC025049F8C2CBCC142B0300874,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:48.743{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-8034-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:48.711{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-16589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001517104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:49.274{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.401{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x80000000000000001517102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:48.396{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54261495- 23542300x80000000000000001517101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:50.340{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E660611727A47967930921C4EE6AE5A,SHA256=8C28C474F00270DBC02D00C3E1A3E478DEB10A2D628E2332D36BEF7E467C5DD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56B051CDFC66ACB033F5FF7C5746D206,SHA256=DDC3DAFCF4BC57AA4827C991CA9040268C9598D39169C359FD6C1378DB7CC5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:51.974{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=181446A09FB46D608B343BD1E5CFF9A1,SHA256=F6F93168174975FB40E985D779D4B4D888447BC931FF2D8954D79A4B8920A968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:51.512{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B74E3153F3BA697ADBDCE122BA1126,SHA256=C1226ACAA091AA45D14CD61BE608ED6F2AE0F9CBDB30094A8334AB60192E6B1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.472{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5EA19D48C392C969A3746A6270AC9F11,SHA256=4309E72958E39F1C988DFC98ED25C2B92DCC6C83C503C873E1CF11E2B517E056,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:50.369{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-56402-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:50.289{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55298- 354300x80000000000000001517127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:49.288{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52625- 13241300x80000000000000001517126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001517125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001517124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001517123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001517122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001517121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001517120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001517119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001517118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001517117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001517116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001517115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.330{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 10341000x80000000000000001517114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.314{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001517113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.314{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001517112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.079{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 13241300x80000000000000001517111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.079{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001517110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.079{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\MpsSvc\Parameters\PortKeywords\Teredo\CollectionBinary Data 13241300x80000000000000001517109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:51.079{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\Netlogon\Private\IPV6SocketAddressListBinary Data 354300x80000000000000001423733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:49.884{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-14407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:49.459{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-37900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:52.730{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF06808E0B5B437AEA44CC21FB612F8,SHA256=D70FCA6199D9B459D1A219137E90A3C43834B16D0E62060A256FC66164F8532F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:52.730{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885EF19DD691F3EF977DB2CAB3CFF965,SHA256=3C52483346822E3207AF029D3734A082539BA286A10291AF03A1298EEFD5CFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:52.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010E6942D2C045EFC4AC6E406D9BAF6E,SHA256=A72282EFAF1651D6EEBF86A8CB97508FA18937C89899D7AD6A6CF17BB074B80B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:52.546{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8411D5643FE0F3425690F8D74DD6011,SHA256=FA121BCE86C37956EDD509978FF172E7A4D4F19181C4CE3F798A6A4CC32345E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.304{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50002-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.304{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50002-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.303{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51437- 354300x80000000000000001517135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.300{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local50001-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001517134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.300{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local50001-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001517133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.291{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-429.attackrange.local65535-false10.0.1.14win-dc-429.attackrange.local53domain 13241300x80000000000000001517132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:52.116{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\SharedAccess\Epoch2\EpochDWORD (0x0000043d) 354300x80000000000000001423738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:50.978{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:50.255{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49725-false10.0.1.12-8000- 354300x80000000000000001423736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:49.973{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-23605-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:53.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DE0A31D9A982D77837F23818F502890,SHA256=A6A688E0C85F63A5F707525CEE522C96559546FC834F1082261E5EFC344BD5E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:53.736{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84127E59EC07D250CFA272ABC295662B,SHA256=850CC6C33154C5331195366DE766EF65B623ED6E9EB1C60E1693F881B1BC4303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:53.595{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94728EC24F85D4839B5D8D7EC8DB21B2,SHA256=1BAE68AE2EEC4FDF71845D22A5B408770634A7DB1ACE4BD42365196C0277FB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:53.657{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=088E020AD282A42DDE43581098CC7EA1,SHA256=49415448A6BD21D609E68CEDABCA89E2D25A07AC54D64AE9A50D41C8E54DFC61,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:52.101{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50003-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2133-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.310{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local55764-false10.0.1.14win-dc-429.attackrange.local53domain 354300x80000000000000001517146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.310{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55764- 354300x80000000000000001517145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.310{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98b0:5308:84ce:ffff-55764-truea00:10e:0:0:0:0:0:0win-dc-429.attackrange.local53domain 354300x80000000000000001517144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.309{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58995- 354300x80000000000000001517143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.309{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58995-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domain 354300x80000000000000001517142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.309{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55081- 22542200x80000000000000001517141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.306{5EBD8912-18AC-6154-1400-00000000FE01}948win-dc-429.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000001423745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:54.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD3269B47284AF33DC09B266F5632E6,SHA256=E6C68A854C79DFBA0B053118778AC6E8206B24B80BCFCB683AB5CE46398F3ED1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.632{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:52.727{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7145-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001517181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001517180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001517179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001517178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\FlagsDWORD (0x00000002) 13241300x80000000000000001517177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\TtlDWORD (0x000004b0) 13241300x80000000000000001517176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentPriUpdateToIpBinary Data 13241300x80000000000000001517175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\SentUpdateToIpBinary Data 13241300x80000000000000001517174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\DnsServersBinary Data 13241300x80000000000000001517173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\HostAddrsBinary Data 13241300x80000000000000001517172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\PrimaryDomainNameattackrange.local 13241300x80000000000000001517171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\AdapterDomainName(Empty) 13241300x80000000000000001517170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\Hostnamewin-dc-429 13241300x80000000000000001517169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:42:54.349{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{539531AA-0A0B-4BBA-B26E-65076530B444}\RegisteredSinceBootDWORD (0x00000001) 10341000x80000000000000001517168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.113{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001517156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.325{5EBD8912-18B9-6154-2B00-00000000FE01}3056attackrange.local0type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001517155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.325{5EBD8912-18B9-6154-2B00-00000000FE01}3056attackrange.local0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001517154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.324{5EBD8912-18B9-6154-2B00-00000000FE01}3056win-dc-429.attackrange.local9501type: 6 ;10.0.1.14;C:\Windows\System32\dns.exe 22542200x80000000000000001517153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:51.324{5EBD8912-18AC-6154-1400-00000000FE01}948attackrange.local0type: 2 win-dc-429.attackrange.local;10.0.1.14;C:\Windows\System32\svchost.exe 23542300x80000000000000001423744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:54.389{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8E38E4FD10F508829BAA0A78F75E4F,SHA256=29CDC63F90B5F01996AF8E547FBE79461A68E547194FD7FD0E3D122462DE48A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:52.122{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:51.238{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30660-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:55.674{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60BC1D5392661613DA2C2004990D29DC,SHA256=7926F4F45AC318ECEB8E520F85D6B92CA12BC1122FEB2639DBF1C329A1586AA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:53.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:53.852{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-11753-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:55.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11718DE3E8B90189257FB0ED4BB6C0A5,SHA256=BDE6E0BEF648FFE723276EA5ED075BC756072D8BF7A7ABC62B0D087285CFB57D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:55.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEB3E0F144153136AD97BB0DADD78157,SHA256=5EFEACDC28C4662603AEC90969DE1B32B84F74011E5F503AD211963B7360EC63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:55.626{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C26F23A6E0BE0017DBA0D4DCEA2B7011,SHA256=7B2E8E5DE311171CE1B8E80D5D49CFEC0DB9562D6F4B47D4A5BD3333BCB245B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:52.490{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-37394-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:56.735{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A743F91FB83E1C6DB17B7BFAD947FD03,SHA256=0D0A0651EACFE3CDA32248AED06A0211D6C6FA217582CC6E55B7E19E1DD1A508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:56.719{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8258ED4FD469CE47EA508EDBDC4CBA5F,SHA256=5C70F2100C6937D8D82624EDC544841CC91C337154C17CE3D5D16EEB8BE15756,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.929{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-16195-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.308{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53808- 354300x80000000000000001517202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.307{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55311- 354300x80000000000000001517201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:54.306{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58784- 23542300x80000000000000001517200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:56.173{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8566FE9BF092D964F4A402737F36F82,SHA256=5712B00FA26B816E46AAED7E1D91705E210A8E942AD1C62F06C7C4897D58B565,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:53.768{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:53.316{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:53.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-42946-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:56.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D9A3879201FB9FDD7F592FDE3420883,SHA256=D642B3FC34257845FBF7299D4E422BDFFDEB6833EF006C5316192E06ECA01DB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.289{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=480AD6278923D7AEC561A2DAFDBA1D44,SHA256=B95FBFD87DB2C43348347BB3C445EF2EA6E7EB20C1E5C45E5153C89C385015FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEFE9F8AB7402C234FFD48A482218892,SHA256=6DF64147CDFE4C1952C8EE0C1636931BCE72194F5FDB62F5F8AADBC79867A387,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:57.875{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF7C7E595940411B1CF2476978AB840C,SHA256=BF08240C65030A3B9B84427A9B55AD1AB8FD2782CB7079029C132E04993064B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:57.780{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C21989F02BF9588F4A4D5C28606B631A,SHA256=1FC2F57117CC43D8C1074984FFC55D008037C9FC20BB95E45FC9646E5525267B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:56.271{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:55.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44333-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:55.223{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49726-false10.0.1.12-8000- 354300x80000000000000001423755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:55.019{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-51252-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:54.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-38304-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:58.824{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBDB393ED885AF3C4B990ECEA3B5F636,SHA256=84EA2CDE9142659E9C2D803BE3F0FF6CF5AD9FC76A0D911AD5A05BA0DB37326D,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001517225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.673{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001517224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.515{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=521EB814FBE77A66EB254FB39457DD8B,SHA256=EDC8F0AACE50070A6082B55528668D4DDB3973E06ADA193508380D4F6D5BF271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.117{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50004-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:56.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20987-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:55.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35462-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A416384FD27375F48B5C4198CB8212D,SHA256=64E807ED5DD4B5814E3EAE493E5507C9D12814E5C22727517FD302E7BE537C8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1902-6154-7D00-00000000FE01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1902-6154-7D00-00000000FE01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.185{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1902-6154-7D00-00000000FE01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.186{5EBD8912-1902-6154-7D00-00000000FE01}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001423762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:56.758{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-50001-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:56.381{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-47329-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001517257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1903-6154-7F00-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1903-6154-7F00-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.946{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1903-6154-7F00-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.947{5EBD8912-1903-6154-7F00-00000000FE01}3736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.616{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DB5E6FDAB49E2EC30F0E8E73DF2040C,SHA256=C9A7348707FF0457836E07571CD553AD872B0C59D461C29BA3A6D7A578760021,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.407{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:57.260{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25370-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001517240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.350{5EBD8912-1903-6154-7E00-00000000FE01}23803764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.317{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C22FCA0FD5D7571C606B36D7A5367FA8,SHA256=CFEBF98CF8298D9BAD88DC075BA7F02DBBBCFCC1603863D418BF847BC09E4E48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.914{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081A8B695B2E0078DF00412F12EB0725,SHA256=F231ED6AF161EDA0954FC6CDF0C4D4961CE51CAC35C5DBC0B85894A2053306D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:57.870{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-56128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:57.519{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-5654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:58.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24835799CB48915439ADB918E6581C92,SHA256=AF82B3B28C81781DFF2E87E482AE99B030C86D4FC95A3EC500CB03CF1EF0CECC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1903-6154-7E00-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1903-6154-7E00-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1903-6154-7E00-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.066{5EBD8912-1903-6154-7E00-00000000FE01}2380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001423783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D366C6D2FA1B81EB7E1767E548F10EAD,SHA256=C794AA38C5096268E9791DDACD0A641A9BD958A00E3DFD2E6B41DA310C5FF0F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:00.700{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=472D72BFD1CAABD1FA92ED95C35C3917,SHA256=6B7862EC0B973A7C0C929FD5E4D4427A40C080C2EFD9D79D13CE959182907DC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.617{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50007-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x80000000000000001517266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.617{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50007-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local3268msft-gc 354300x80000000000000001517265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.609{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50006-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.608{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50006-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.570{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50005-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.570{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50005-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.493{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30229-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.481{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-30183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:58.452{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38494-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:00.402{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA46DD23CC9C25F189A9F4CB5D9F7E3D,SHA256=B49B68204D0BD4C8F28E08C12939D8AA45FC5D8C18068E552893B77F0D053778,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.372{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.328{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4849-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.300{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4617-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.259{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.233{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.209{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-4193-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3981-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.146{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3885-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.123{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.098{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3647-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.075{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3531-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.050{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-3334-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.026{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-2965-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:58.768{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-12311-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.056{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=388DE65DC81A3C88F1B50DC15030BEBE,SHA256=6E65884A9995C700498933B0DFD577ABA1004BD3AEB4A94931199DEB132F04A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.975{5EBD8912-1905-6154-8000-00000000FE01}20002272C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.881{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7351CB8452294D3E64C37C09317D7FE1,SHA256=1B311EB2A06BE0FE30B88B8AC0791DC260922ED4973F9D560C1CDD5C296AD9E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1905-6154-8000-00000000FE01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1905-6154-8000-00000000FE01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1905-6154-8000-00000000FE01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.787{5EBD8912-1905-6154-8000-00000000FE01}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.409{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=974D1EADAC2A68CC9E4136301EB21C9A,SHA256=1BF2BD4D4608B54688C0ED0A902D85C118DF7091CE517CEF99BDBEE807B95A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.967{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BF701A4F5F23F60A8232D3870342A1,SHA256=8510683F6B885943F1E9A971A45DFA3C4F9E40A5BF2F6B3D02278D8A4A0BED1E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.082{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-19485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.075{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.599{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51049-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.456{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-50562-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.428{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5259-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:42:59.396{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-5210-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.320{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B967D6ED7CCE1FFEF9823F68138A82E0,SHA256=4C790AA5FBAD51F9FC2E6A26496A938513751FC2AF741461749FF52C134421D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.976{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AE58BACD3632DEA2084D6F673109E95,SHA256=51FFDF32800B5215D9177A6A65F3CC2FE85084A67D31478CA03AFF19AA55AD8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.965{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76DCC0E55B30CE0DA1682DCFC6EF00E8,SHA256=11947A185A8AE0035ACC577D24FE3A97D53E4091AB12B45FFD96EF41A322F20E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.887{5EBD8912-1906-6154-8100-00000000FE01}41604164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:00.702{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:00.698{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-39039-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.574{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:42:59.555{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34818-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001517298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1906-6154-8100-00000000FE01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1906-6154-8100-00000000FE01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.698{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1906-6154-8100-00000000FE01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.699{5EBD8912-1906-6154-8100-00000000FE01}4160C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.541{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA6ABDF1EEF215110B84F2BAB04544F,SHA256=B58EAF3CFF1722FD20A1714C19309238AB01DA7CEF8E32AD6CD3A63563DBD6CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.178{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53118-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.145{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49727-false10.0.1.12-8000- 354300x80000000000000001423795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.039{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-52954-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.798{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-52644-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.754{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-52316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:00.670{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51976-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001517321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-43662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.298{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-42074-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.692{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB102DF6B01074550E77B683EFB49483,SHA256=33EF45FA4C1D1E4FD05BEFD9F403D0995B1DB02D7F4A237DE2D3751AFC0ED76F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.634{5EBD8912-1907-6154-8200-00000000FE01}42364240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.412{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31827-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.373{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54472-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.295{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31544-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.215{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31098-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.210{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54419-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.137{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.109{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54184-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.057{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30248-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.976{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29847-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.920{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53888-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.896{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.815{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29041-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.770{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53484-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.733{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28622-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.654{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-28120-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.574{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27675-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.493{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-27188-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.412{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26733-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:01.333{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-26277-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001517317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1907-6154-8200-00000000FE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1907-6154-8200-00000000FE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.374{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1907-6154-8200-00000000FE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.375{5EBD8912-1907-6154-8200-00000000FE01}4236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001517345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.898{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.678{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1908-6154-8300-00000000FE01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.678{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.678{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.678{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1908-6154-8300-00000000FE01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.678{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1908-6154-8300-00000000FE01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.679{5EBD8912-1908-6154-8300-00000000FE01}4396C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001517332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.025{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50008-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:03.022{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.998{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-59834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:02.950{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-47967-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:01.837{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-43730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.662{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18CAD287EBF2B8F8E31C3CE24F64A372,SHA256=7127AABF800A3A0084D1FA65E058EB305322D170F764326CEE354EF7A1B69043,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39032-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.577{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-38498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.496{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-38067-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.415{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-37643-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.378{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.333{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-37170-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.254{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.203{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.173{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.093{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-35580-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.061{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.014{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-35013-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.944{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55330-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.934{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.810{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34324-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.752{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55257-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.731{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-33859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.653{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-33431-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.575{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-33047-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.538{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54707-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:02.496{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32407-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.001{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F835CB90A8C56E68092AC463B17B15C4,SHA256=32606626F48FB567FD221ECC54C91703279CD5EFEFD20172BF3E73B7AC2EC0FD,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:43:04.490{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xa300863b) 10341000x80000000000000001517324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.411{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.411{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AD-6154-1D00-00000000FE01}1644C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.191{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C30BED7E3D45C386C6511DD1E5446C30,SHA256=BBC643618EED7B48382CDEC68BB054A861CA3689CACFDE190D4807EDD8D22F64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.214{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-53199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.124{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-5318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.104{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.684{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF9FD3B974BD8E758AA8D9BC9BF31264,SHA256=17F2CF624BF7A0F87FD1939E9AFAFC5E3EFC2D8C643B3CF3034B23B74FE8E722,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.624{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43938-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.610{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57744-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.539{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43042-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.460{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-42664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.453{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.337{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-42357-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.258{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41556-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.256{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56842-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.147{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41188-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.062{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56548-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.061{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41038-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.980{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-40719-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.897{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-40367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.865{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.817{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39910-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.736{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:03.661{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56113-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.041{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C585A81949E98831B509922FDAC1477,SHA256=D41DE15F891B4D4D709DD8F1492C71A68004C08D52F3FFA2064FF1F3245A49A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.275{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A08C332BD9741E526898A99E6313B125,SHA256=FADF5F078B7B5835FE83A5A1C3AA3225555EB9A8EDDFBDBBC996CF21BF8AB5FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.376{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local50010-false93.184.220.29-80http 354300x80000000000000001517353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:04.365{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-429.attackrange.local50009-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 23542300x80000000000000001517352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.690{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73C7A07F66D041402DA34A0CAF9AE17A,SHA256=160B46C021EC1AA231BE4C2FD878968B1D3ACF8DA3587E9A3C580F243277179E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.360{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E78A9694CD7D697270B4CACB6DCB7DFF,SHA256=2BF947EC23927CD893F38DF2ACA33554FB393FE20F7FE93F6EDFBF1A52C15F8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58443-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.378{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58267-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.093{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58094-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.825{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57948-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.705{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44430-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:04.698{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57859-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.064{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D233C0838B71B8E1C63433D94179095F,SHA256=F0B498D27684B65F9B5207679AE3FEC457AC6D1D322570DB4EB8A2DE47739ECB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-14191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.371{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.261{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2581-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.868{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48146-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.291{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57708-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.249{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:05.186{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99AD0BEF5AE26932072D9FBA449F14A5,SHA256=18C61359B49209828E646A5AC1CE74601E1B59E03D82D6757D63A5537E3837F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.522{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5956EF84047134D3DCC72EA481A34025,SHA256=85BD4CF3957825F4B459D160801C01AAF871E99ED9A8EBE1CF637A4880A09BBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.087{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF1DD18BDCE73B731974D80AD6A8EE3B,SHA256=D402743CCF6A49FDFC0FE71E48155B1E2BD5F2E647C4669FF654B7E1C0404877,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.486{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-18569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.431{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7156-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:06.572{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60255- 23542300x80000000000000001517365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41AC19DEA5FE23B7FCE28D6ADE1A9923,SHA256=4E98BB414217CE683C0010B32BA3576BE739B22AF02110BF0B30FD9994BDA23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.669{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3A17C1230B91F80DD5A7AE5551F4D13,SHA256=67EB961EC0BCDEB30EFC9E0D68628827AD96FF4A08010377B6F9213E4C0A4173,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.440{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.440{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-189B-6154-2500-00000000FE01}2496C:\Windows\system32\compattelrunner.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.775{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-1325-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.433{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-1196-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.192{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.032{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.931{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.843{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59126-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.758{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:05.681{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58896-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.094{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B311FF1E60E25DD84A3477AF521499AA,SHA256=09CB310D4ACDD7B7EAA7B059D9B05ACDA0FCB651BCA85F3010803C368AFD1E56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:09.816{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D53C3349437AFD9D73599CD2F0EBA0EE,SHA256=C9073454756AD86C8D2BFD6D681876F0523275E55C8E14B8EF61B554C03DE423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:09.801{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD43250BA520216F710D79FFA4B74D31,SHA256=DE4DE1CB990077FA9B6611377B7B12C03DC446C5EFD048732E887EB0FD5A9A3B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2434-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.468{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.325{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2214-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.143{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-1877-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.098{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49728-false10.0.1.12-8000- 354300x80000000000000001423878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:06.989{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-1527-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:09.132{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA4F5FD39D7EFB93ADB90EC6A4236E1,SHA256=D9A9F30A6D3D9DC7A0AB7FF3D86ABAF7BB4F66A1106F214C699818600A0EABBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.900{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDCF96F84BE1D6AC1DE79E4E98FF518A,SHA256=40879E807FF40DB2276AB4A202E41A5847C6AD7329BCE4296EE3B9C96913F4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.885{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E089C759CDB425E36B321EEBFDBDEEE,SHA256=E49129EE9C4A4C41464F5A686AB962A84684787574C810C7BCEC766B5CD4FFA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.103{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50011-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.931{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:07.573{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:10.138{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78390CBA473107B2880FA2999E73E3E4,SHA256=E3C2A062AC92EE991F5A9A1E59963D9B3CDD18E8D28B1F90863701360F82F36E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.178{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.003{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2975-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:07.834{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2617-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.984{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0614390DCD1BE503935F5C92F4CAB513,SHA256=AEDCEF5B33DB37E1BB32B8AE25B77D1D0C4ECC90269F2F4CF59A15DECD06D3B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.969{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=097F0034CE717B6CB5644D2BB5EE1B13,SHA256=D5009AF09E9CD863F79A60945F2DB7E25B5BCADF55C70962956898ABDB15C064,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.729{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12454-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.634{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12029-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:08.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-22888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:11.175{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB6BF7C1F861BD3DF0D60EFAF85ADF6B,SHA256=49629D5719A8FB1CEC4B7F133614D654D4374768093BA83848B34A0DA0E60F01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:09.049{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-4006-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.835{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3748-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.660{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.520{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3453-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.370{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3348-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:08.292{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3183-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001517383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:09.857{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-16808-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:09.734{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-16474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:09.686{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-27166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:12.196{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C27E7468FAE6EA366C3DDF1424F6E749,SHA256=ACE7F2882A0EC995754ADFDD41C8A7021448C1E2C17C911CB5FB0B21054FEE94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.618{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=96F622AA94378C1EDB11792B70D85896,SHA256=79AE38C3D1241A06A216DE2F7BA2DC125CF589740C0F099C018291595C858905,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.587{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7FE28F3E6433948CB07C5EE839ABB72,SHA256=BEB306CF6BE08BC301C922BF6E82301B3AAFAB73A5C83310986229BED70C982F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:13.217{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C5F995655B2CB0AC9F5863F15BA5CD,SHA256=E98CF9439139F153CFFB164686637F7D2F70EC6F81CCD45012091A5BD9624FFD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.541{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.507{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.489{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.488{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.469{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.469{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.451{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23235-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.432{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.418{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23147-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.400{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23068-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.398{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.381{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.380{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22800-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.361{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.344{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.311{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.301{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22546-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.272{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22431-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.256{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.232{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22357-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.208{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.191{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22253-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.162{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.156{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22198-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.136{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.130{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.118{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-22007-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.100{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.091{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.082{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.063{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21696-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.055{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.037{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21576-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.011{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.006{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21432-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21408-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.975{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.969{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.956{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.950{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.939{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21225-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.916{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21151-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.792{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-54960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:10.763{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-31504-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:12.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF97D6AFCC41DADAB7CF974E9A236E9,SHA256=BC843898A395B200D1F51AE6AC804069EAB1A7C6013A24E2F3B087ED2F2D3138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:12.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2333A036D8F302E347D935AE2361D3BC,SHA256=1BCA287C7210D8381E7A26DCE5724D4AC114D37378AC2B887334F52FD85711E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.780{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46855BC5B129695B1540A4AD7527176C,SHA256=DB5ADA7BAF9E5C1BE752424AC1D24E27666B03920841472AA6B7B3C695D4C3DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:12.895{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49729-false10.0.1.12-8000- 23542300x80000000000000001423901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:14.269{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:14.269{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C99EAA2F9F29F7AC9D3B63115C39D8DC,SHA256=A88F31A8A3E20AC9083F4D84916BAB7CB6DC35C1690838B7034577D00E2002FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:14.253{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD57CCDA9D74B5479128DA84CA435E4,SHA256=252B32E51CFCC55471CA09C186DD9B32F8E5BC816A18D94506138258FA73D322,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38826-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.505{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.469{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.445{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-38058-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.372{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.343{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.294{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.264{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.242{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.220{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37478-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.199{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.177{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.154{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.153{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26395-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26313-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.132{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37118-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.116{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-37006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.097{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.088{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36928-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.078{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26129-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.065{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.059{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-26046-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.008{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36602-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:12.004{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25803-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.986{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.971{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.967{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.950{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.948{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.927{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.918{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.899{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.890{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36135-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.882{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.856{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-36003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.848{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.830{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25149-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.812{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.793{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.758{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.725{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24360-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.693{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.659{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:11.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-23833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.817{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74719C04BD1FC904B904A72D1C0ECF5B,SHA256=6FA49F3696A39436B8B5EAE5FC2C556970AA250D30D95E4FC60FEC43B3B37BC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:14.098{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49730-false10.0.1.12-8089- 354300x80000000000000001423905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:13.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-9574-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.273{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1231ACA24B4FB222E01296891D92EB94,SHA256=67A883FF291CEAFDE4BF45C5D013B85C51AC07E6A83248D4FBD019C423944210,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.827{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.791{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43487-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.768{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43410-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.708{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43181-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.686{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.013{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3EF97D6AFCC41DADAB7CF974E9A236E9,SHA256=BC843898A395B200D1F51AE6AC804069EAB1A7C6013A24E2F3B087ED2F2D3138,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.716{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47110-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.694{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-47006-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.670{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46798-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.643{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.637{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.612{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.583{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46554-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.560{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46410-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.523{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.501{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.479{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.457{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-46048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.400{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.364{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45669-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.343{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45525-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.306{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45272-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.245{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45166-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-45055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.200{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.159{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.137{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.115{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.093{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.072{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50012-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.071{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.045{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.022{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.005{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59053-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.000{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44201-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.988{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.928{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-44017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-58380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.872{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:13.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-43755-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001423937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001423926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.817{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{69CF5F33-1899-6154-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001423925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.811{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.561{69CF5F33-1898-6154-0A00-00000000FE01}628928C:\Windows\system32\services.exe{69CF5F33-1914-6154-7B00-00000000FE01}2464C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.544{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1914-6154-7B00-00000000FE01}2464C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.528{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1914-6154-7B00-00000000FE01}2464C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.528{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-1914-6154-7B00-00000000FE01}2464C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.528{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.528{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.528{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.403{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.403{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.403{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.324{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C415F275C4D674954307AF153C57A39,SHA256=56CF1ADC83DF971730B3D65A3C50EDD297F4F4F60E8DB655F8BB1E999253248C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.277{69CF5F33-1899-6154-1200-00000000FE01}10201564C:\Windows\System32\svchost.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.277{69CF5F33-1899-6154-1200-00000000FE01}10201564C:\Windows\System32\svchost.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.136{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:16.136{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7F0BFFD63AE5898C29494976D38FD0,SHA256=F82B8AD25D6C0FBC9669BE0287393E8FC5358B81E3E23C552081FD2EC3F20C02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.645{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2000-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.458{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.061{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1698-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.045{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54249216- 354300x80000000000000001517536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.994{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:14.951{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.971{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=62088FAEC15A1DC38C87B9E3C9CC6FD5,SHA256=8CB33BC46ADE58E27857574E843B9A97938C6F655CB0C0D5849D7F9CE27D95C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.877{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E74B8EF0BAC882115B0759952867B0AD,SHA256=EC2F3CF177B29EFB88062BD815FE5F867D9342A4AF29A1FE7DD3EAAD91F61025,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.579{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=270419FE6638EB459E2A5DE46C4326A2,SHA256=F3B6A65C5AB67E28EAAA8929D60A664585E97CA67D39BADF29E4F16097AE9D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CA04EB29B0E648F74EC6109A7FB3D592,SHA256=1F87F409221D7F83181093430CAC28D083E4F6674E3F3102C7E6D75FDD6D657D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.516{69CF5F33-1898-6154-0A00-00000000FE01}628940C:\Windows\system32\services.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.516{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001423952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.361{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13244-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.218{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13103-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.391{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1F5D8CBCB678F199465AF81285BF634,SHA256=D47DF5B1B889ACD6B6BC80CE0F42A08172018A4E2D2BA632916795252C2E3892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.391{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001423948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.391{69CF5F33-1898-6154-0A00-00000000FE01}628724C:\Windows\system32\services.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.312{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E38D659AA9B12EEA89976FD623EA292,SHA256=418F01AEA09D11A112655C949CE1FB02024C64B6770FD399FDC3C6C44FF63162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.312{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=602335DD135CB1ADBF5494952E1C7164,SHA256=83F57914B2452F535EAFA331AAF5CC6F0D1C8EF12D0BCDB18406C74907BCB531,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.312{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.312{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.312{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.234{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CA04EB29B0E648F74EC6109A7FB3D592,SHA256=1F87F409221D7F83181093430CAC28D083E4F6674E3F3102C7E6D75FDD6D657D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.234{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E06FC7B3F1226ED12B698752F9AF73BE,SHA256=F040D28B694492D5FA980757773F0ACC843E08F692D2B9AC4EE105C848B63DBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.140{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.140{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.046{69CF5F33-1898-6154-0A00-00000000FE01}628928C:\Windows\system32\services.exe{69CF5F33-1914-6154-7C00-00000000FE01}1700C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:16.537{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2709-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.860{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2461-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:15.794{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4F157CB98C4CEC59C78D1C305F04891,SHA256=40FD1B083A80786E0EE7DABCF9193B4724FF68F65A5102F64ECA5287DF1AF790,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.742{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13593-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.608{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-542.attackrange.local49731-false209.197.3.8vip0x008.map2.ssl.hwcdn.net80http 354300x80000000000000001423971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:15.505{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13431-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001423970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=1E38D659AA9B12EEA89976FD623EA292,SHA256=418F01AEA09D11A112655C949CE1FB02024C64B6770FD399FDC3C6C44FF63162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F6604EE293F82FB9E9566FCE357BE1E,SHA256=A35241B59C753185B5CAB35074B24296E3B55381AACB779A76022AD23A495E49,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.159{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.097{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=712FB194D80B2A35824E44E11EE85B90,SHA256=C590EC08C19B0AD50ABDBDB61375D66F55814F55EB90C969687D0A173FDFF460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.225{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD056735348130364A7E18DF02E9C1F3,SHA256=0BDFA2285EC7F2AB45CE4377BB4931EBF015197D8E74E42F6649076846378A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.603{69CF5F33-1899-6154-1200-00000000FE01}1020NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=F1DA24A12687CA896ABFDFFCA4BF8ED6,SHA256=852FD7C1729959561279F95A0AC54AD69B364DA2F1ABFB2044A566E4E5798282,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001423984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.477{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.477{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.477{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.461{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.461{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.461{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.446{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F2D9B2BEBCDE23B1C51B6E51C065B72,SHA256=B92061E62123FFD3381BDE90CA1134A3122F340EC24C11D4EB7E350894A5E5EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.863{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58997-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.843{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.715{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4548-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.631{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54250619- 354300x80000000000000001517554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.506{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4279-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.454{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4212-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.410{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4142-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.344{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.250{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.152{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-3890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:16.871{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-3241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001423977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.430{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.430{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.430{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-4100-00000000FE01}3048C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:19.246{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-001MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:20.277{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403E887CE25AAB68A7B5B8483B9090A0,SHA256=634AEBFC8DA495E8B946A1C794AFE46CA80E6671BA6BD5BDE24AD6E30C077089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.952{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7881C28FC50F598DC54C646866D20387,SHA256=BC7CFBE3FC797188F016D5DA5DF0547FD6181D299ECA09469A2630A50B73BCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001423991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:18.384{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-16804-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001423990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:17.879{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49732-false10.0.1.12-8000- 23542300x80000000000000001423989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.620{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F557498676BF439BB99E2FD8F1FC92E7,SHA256=D501E380A612E3619B99566CAEB10034BD44CA7D2B336DF828391B81B10625B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.510{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C128DE6263F798B50E5C2BC7A695C1,SHA256=16CCF8496F1BA6F25935DCDE46D2B5B72950EA475D4A529B8DCB393247619D75,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5986-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.519{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.499{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5372-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.469{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5222-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.450{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5067-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.416{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5061-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.398{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.329{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.289{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.223{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.183{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.102{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.985{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:17.941{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-59359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001423987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.262{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.042{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\Microsoft\Windows\DeviceMetadataCache\OLDCACHE.000MD5=3F091989AA9123D843D88F1E303C5929,SHA256=33816ACF34011344C33CD6B7C3AC29883A160F6F93427D2C8650257576494ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:21.291{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408D0EE4DFB4AD732A89E1585844A24E,SHA256=505D5F1AEFBBD3AB47491952AE740B7F2652319602820884C5F57D825157B2DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001423993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:21.516{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B7103B8C6CE55E1BD2CDEEF2735233,SHA256=60AD9C85101B78EFA73B7AF23E80B9F3D963F068D6073C97CD78C33B100C3E9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.412{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6127-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:18.886{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54274- 23542300x80000000000000001517590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.767{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE988E62DB8BB149AAD867FB60AD9A15,SHA256=ADF437CE4206CFD5ECE89E605613FA2C8F4A7DC0997B9A5B056189513D2F9CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.767{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4FDB375F5819CA2B9910EAB19F953B2C,SHA256=DB845BD4A096B39DF4C11743F15D903575B84541CD0FA08390037AF86DA2F4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.296{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A929CCFB43B7AEC61635595C2B3071E0,SHA256=5877D7B9CCA5F040183E1BD68CAA7024F871C7923FA663A68C253FB5BFEBA8A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.832{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.832{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.832{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001423996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.801{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001423995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.566{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2D40EC885555463A8818B1A710EE46D,SHA256=213E1A573A735F0D13141D6BF401D297F9FDC943423E1B6E7AD84F8F88BF0AE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:20.383{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-8178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:20.289{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-8099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:20.237{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-8052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:20.195{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-8007-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.943{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-7471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.884{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50013-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001517581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:19.597{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6843-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001423994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.237{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001517598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:23.489{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4CC6797C00B282E905A7F9AD69BC2F7,SHA256=8940F35ABE5E1F3DA67B918933D6C139CAE9644BE542772103C0902FE6E151F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=60EB49200DF3AECA0ECC6630F60C087B,SHA256=A807472B1B76CEA30D89CD989DA2C430E77BF6111C4BFCB2668E4ABC06BBAF78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.945{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=72EF941C307271BFCCF1263006392D4E,SHA256=B0304BB1FA9D600D3F0E807BA3F9C5A32B80D1156AD057F39B47292DD37E7A17,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localT1101SetValue2021-09-29 07:43:23.898{69CF5F33-1898-6154-0A00-00000000FE01}628C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Control\Lsa\nolmhashDWORD (0x00000001) 23542300x80000000000000001424029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.882{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D045FC2ED0B87F10DD47A801E2C3C66,SHA256=7FAB26E071F9D1299AC44889652324FD65CBE77A79B3CFFB0AC4672D95AFA1F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.616{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\tmpgptfl.infMD5=F443C7B00E42C58336E9113C4B92A1EA,SHA256=01406B7BD612A8321213382482E44EA2C7B5467B57E17E9C135EAB2A8221FAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.600{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\security\templates\policies\gpt00000.domMD5=338F5A9E4E606FC803055C8314E3F366,SHA256=DD15D6AD575AD10CBA979783EE68DC6A5A21ECDABDB4E0678F83870931BBD317,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x80000000000000001517597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.064{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249738-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.063{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249737-false10.0.1.14win-dc-429.attackrange.local49666- 354300x80000000000000001517595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.061{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.15WIN-HOST-54249736-false10.0.1.14win-dc-429.attackrange.local135epmap 354300x80000000000000001517594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:21.507{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249735-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:21.505{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249734-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:21.500{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249733-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:21.384{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54250620- 10341000x80000000000000001424025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001424024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001424023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1895-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30485|C:\Windows\system32\lsasrv.dll+2e31b|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001424019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.584{69CF5F33-1898-6154-0B00-00000000FE01}6362200C:\Windows\system32\lsass.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.068{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49735-false10.0.1.14-88kerberos 354300x80000000000000001424016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.065{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49734-false10.0.1.14-88kerberos 354300x80000000000000001424015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.061{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49733-false10.0.1.14-445microsoft-ds 354300x80000000000000001424014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.036{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse119.167.194.165-56602-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:20.934{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20046-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.459{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01D5E6F9AF8FAA70A4837BF0E3A9C631,SHA256=C5A60C1478A2832BAC48D15560D976EF4951FE43A149C3D0156D8538DE417DC0,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001424011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.161{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x80000000000000001424010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.146{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.524{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249744-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.418{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local389-false10.0.1.15WIN-HOST-54265380- 354300x80000000000000001517605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.417{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54265379- 354300x80000000000000001517604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.411{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249743-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.400{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249742-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001517602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.085{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249740-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.078{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249739-false10.0.1.14win-dc-429.attackrange.local88kerberos 23542300x80000000000000001517600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:24.510{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FAE02ADC887DD414362F4B70E8DCF56,SHA256=DD420A88AD35304E1B1D8C170E236141DE7149EE686A91DD1F1AD29E710F74DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:24.603{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58DA7D252DB805CA1E2250460249A5D9,SHA256=DA1B5BC5C2F1374C150AA5C23C65F9229B97AA23E65B6ED92AC341A7BE0A1FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:24.603{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FE950DCA01F64B60FEBA1679A526BB6,SHA256=65C63A86C6EDD0FF83574568D42FDF851D57003886723F1371BCD885DC2454F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:24.070{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE988E62DB8BB149AAD867FB60AD9A15,SHA256=ADF437CE4206CFD5ECE89E605613FA2C8F4A7DC0997B9A5B056189513D2F9CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.085{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49744-false10.0.1.14-389ldap 354300x80000000000000001424041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.972{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49743-false10.0.1.14-88kerberos 354300x80000000000000001424040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.961{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49742-false10.0.1.14-389ldap 354300x80000000000000001424039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.960{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49741-false10.0.1.12-8000- 354300x80000000000000001424038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.646{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49740-false10.0.1.14-88kerberos 354300x80000000000000001424037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.638{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49739-false10.0.1.14-88kerberos 354300x80000000000000001424036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.625{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49738-false10.0.1.14-88kerberos 354300x80000000000000001424035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.624{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49737-false10.0.1.14-49666- 354300x80000000000000001424034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.621{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49736-false10.0.1.14-135epmap 22542200x80000000000000001424033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.056{69CF5F33-1899-6154-1300-00000000FE01}296win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x80000000000000001517615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:23.158{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-10944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.850{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249749-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.849{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249748-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.848{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249747-false10.0.1.14win-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001517611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.842{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249746-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.840{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15WIN-HOST-54249745-false10.0.1.14win-dc-429.attackrange.local88kerberos 354300x80000000000000001517609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:22.758{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54260378- 23542300x80000000000000001517608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:25.530{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BF18C62F9757EDAC3529C814123ECF,SHA256=6B5EFD7901BFA6110AD5CBFEE17A7D540254EE819B2B1ABE1616D7E15B439276,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.411{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49749-false10.0.1.14-445microsoft-ds 354300x80000000000000001424051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.410{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49748-false10.0.1.14-445microsoft-ds 354300x80000000000000001424050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.409{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49747-false10.0.1.14-445microsoft-ds 354300x80000000000000001424049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.403{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49746-false10.0.1.14-88kerberos 354300x80000000000000001424048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.401{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49745-false10.0.1.14-88kerberos 23542300x80000000000000001424047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:25.621{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B751656993DFDB9B05A01D672622F2ED,SHA256=4FD1C1711B3EC913ADE76ED6D73887AB8CA581CAC713A3F4BCB09B3B5FD75276,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001424046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.979{69CF5F33-1898-6154-0B00-00000000FE01}636_ldap._tcp.Default-First-Site-Name._sites.attackrange.local.0type: 33 ;10.0.1.14;C:\Windows\System32\lsass.exe 22542200x80000000000000001424045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:22.654{69CF5F33-1899-6154-1100-00000000FE01}972win-dc-429.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\svchost.exe 354300x80000000000000001517618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:24.925{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50014-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.535{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C94B141FA83ED7836781E48AA1FA0182,SHA256=0CF2497ED6EF4F749F6A35BFE93C52666C056E5BA257D9B15E40175BBBB8DF5B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:25.409{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26153-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:23.813{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23378-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:26.670{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E35420FC501C501D7EBC882DEF00547,SHA256=941BC022FDA91A97F38DA43152D368F513184A89036317D0ED1ED10BDBEDA3D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.017{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D2F82AFCC04037C908E209FF434CC84,SHA256=655ACC68E9AD43C4ACC4E503B5261A0C2BE0B1BE9D054E0D2496F0FF9FDFBCE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02EFD1A38DDD39015E9CEE3E3B2D0E6,SHA256=9FB127490AA1BFC96145F5E36F7ABD18A9521DC93165577BE227FFECB580EB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:27.688{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C27B34F41FA09168CB37817802D8FEF,SHA256=AE8D20CFEBE7BFD40AC34830C4FBE961387BA37AF93EE6FB1DE963B69BC47BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:27.672{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=08853325678F88595B0D82433C173208,SHA256=C97C75E4699AB283B2B31AADAD9C9E40AAF296A08B2D8A7A07289012CBD7F87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:27.672{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D403A8A3188F552288C089DE260F7150,SHA256=32AD26C4C0520361098D817F0EC510049F61ADA70BFB362A059F68C525C52243,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.632{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.530{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.379{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:28.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4590E16159BFCA23388D1503CF55719B,SHA256=53B1446ECD12C1FF219C6B3A3B02BCA3FCF95FDB51F4392BB2716A283417F1FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.706{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4146360860F47AAAB9B34B7567F9A56,SHA256=B4D0F897E61DB4C64C76925A74E68072D8749EE3791030AAB8A884993A52BF0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1920-6154-7E00-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1920-6154-7E00-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.658{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1920-6154-7E00-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.659{69CF5F33-1920-6154-7E00-00000000FE01}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47AE5F2EB9C4462C4B5B1FFC6CFCDACB,SHA256=D6C6DDBD683AE1D5EC991510EE1063F47F5DF2FB603DAFF925AE005EAED14638,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.977{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16751-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.940{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.908{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16704-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.876{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16682-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.842{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.809{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.791{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16263-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.773{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.740{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.721{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16067-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.671{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.639{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15994-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.468{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.279{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15503-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.953{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.859{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:26.726{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:29.580{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388A6B0C2C6F57F69DEA6FC24D3B3367,SHA256=6E963ED5777F43A186DA383E6AD187CA9C4635D6AE2F2954184F5923831E161C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:27.980{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-29268-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.785{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57C5FFF2407BF2461665B733EB1E1CE,SHA256=D37457014FA36A65930129A4025F8F7E8412682891893C74FA61FF6E5D5A25BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.770{69CF5F33-1921-6154-7F00-00000000FE01}28123708C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.661{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A751D971B04086A5442D32D514D7E67,SHA256=963BD432C6C2DDC30B126F4E33532AED867CA3F8EB1EBAAAB2D0379532C8BD79,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:43:29.582{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xb1f54696) 10341000x80000000000000001424086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1921-6154-7F00-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1921-6154-7F00-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.535{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1921-6154-7F00-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:29.536{69CF5F33-1921-6154-7F00-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001517646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:28.013{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16783-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:27.995{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:30.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04727A24CD7DA199901EB943DF91F00D,SHA256=CADB2416C00F107EDE20912A27C894F71163659565DFD0768EC05ED448BC7798,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:28.866{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49750-false10.0.1.12-8000- 23542300x80000000000000001424106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.787{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FD31E5D4C18F2E5F2255A03A2C44D4,SHA256=1467D8074230CDAC90D3D120B8515FC8631C7EB8B9E2EB6CEF98E3D96E11D0D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.584{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=08853325678F88595B0D82433C173208,SHA256=C97C75E4699AB283B2B31AADAD9C9E40AAF296A08B2D8A7A07289012CBD7F87E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1922-6154-8000-00000000FE01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1922-6154-8000-00000000FE01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.333{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1922-6154-8000-00000000FE01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.334{69CF5F33-1922-6154-8000-00000000FE01}3672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:31.684{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA0EEB63DF03BFECE31AE09DA806963,SHA256=E97D9EFF3F10D370F65D14D7846269D446325DE281DEDFF4E74DFD2B92584CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:31.684{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73EE7510C319C2E47CFF0E63705DEB02,SHA256=A822FD81D7BE01417898BB82E942C897939BDBDCF20A6B25EF6D7F17D4C2CEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:31.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F648D039D4CB1AC15E7DA1626BE181,SHA256=8575E0600A03E5E2E3ACC3FEAA4DAE70C77963459B8F07E6ABFB7ED10BB28D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:31.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DCA949CA4D747ECEBF3FEEF1D960087,SHA256=E5D635534AC8A708574788B6D33BECCD8CCFCFAC3DAEDBF6A0B46C7409B76D51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:31.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DE862D4D0811A93CEAE86F0DD2C7D9E7,SHA256=89BDC46B0EF082890AC139B1DE1DE1C7DA6CD4B35C06C4EBCC8DBE0E4B38EE4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:30.768{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50015-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:32.688{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91CBD30ED710FE82BC059930D30279D7,SHA256=941C313D3857D4AF55892AC80867AF35D3838777D52DEDF8F744B42E6108C00A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:32.688{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5ED2B1229E049BD5D1E5ACAB1E9FE375,SHA256=BDFC16546D2E853141CBE14E9A9C8C78C3CC70DEE44901C82567F5DCF1D3E13F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:30.071{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-32278-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:32.837{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D5D917C474B691659B3A48A4779657C,SHA256=F2A012D51B4339828B836B23EAC53E3A43F55B56604DA1BF866067A0FCBBCA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:32.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87621361B4D63B26FE613EDA1EA2BCB6,SHA256=CCF23AC828E1C5CCE432126CB120D07F42BCDC37211A6F713058EC1C30B4947F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:33.870{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=669D62FA99DA96F65AFA0A7EB2FBF947,SHA256=B8B04AE16DD3017836720A8786D0E375B167A002DC2DBBED1E47C7FF1FFE5793,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:31.998{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22550-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:33.693{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBA0EEB63DF03BFECE31AE09DA806963,SHA256=E97D9EFF3F10D370F65D14D7846269D446325DE281DEDFF4E74DFD2B92584CF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:33.693{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D762F30498539EAAD153D41D52CD8C41,SHA256=A7CE9190B0F0D5EBAB61530DBDDD04F883895F55668D68728BC3C37147B74149,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:34.697{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CFF92CE8CE4DD8BDB3C52DE22C48320,SHA256=DF88B76AFEAAD6BD2B356D27CF31938B2914EFAEF55E1998749A5272C31EE8D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:34.903{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E5416CB5EA07FA5FC6B9B4764353A9,SHA256=16102ACC54D30A67A462B757EB5C05F9396BB8F4A65628A71FBB7F0F3F4B546F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:35.701{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FAE65185B6FA78A06F7A98ED668A99B,SHA256=2BDA0AF216D34089967F1D42F663834FCB0367D5B4FD650579FF54DAB26278D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:35.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9040D3424C4E2923449EB0B555E1E750,SHA256=7E9D69592A7ECEF353A3E1B9CB4BAB39D25337C34B22FDF2385383F97BE31C40,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:32.640{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-35297-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001517660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:34.080{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:36.706{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34161CF8171217496B137A15FF6A7FAC,SHA256=97C5D82D47FD5E4CA7CA026F3F2E93C78547DF7CFCD511B7BC3974625F213B3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:36.706{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3599C641CAF5F59ABB7A5D185565F295,SHA256=1BBC2DECA02D81341B81C0CB5B9D54CA3B90C0B4003DB10358D1EC97E586C4D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:36.937{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79395C66959FB5B96BC44A41F0F11E11,SHA256=F597762C9B89DA4A90481E3CAD53B3266DC89A20CC8491359A2CAB39B10633E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:36.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AEED3AFD07257407415012C941C000BE,SHA256=E631B812426DFBAE3F508168A8B10242752154C114D20C5630420EA77FC31626,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:33.944{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49751-false10.0.1.12-8000- 23542300x80000000000000001517661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:37.710{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C82A5EAD97231A21CF430151A2D8772,SHA256=53E5B23058E12341C0EFEDDE24B0A570E711E7D3AD2CA8BE295E4B1CAFBD3533,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:36.747{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-28479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:35.893{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50016-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:38.714{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828E330D6D1CEFC611F862580F128112,SHA256=A11CC0EEF6B615581C2168E8E11178EB105517A61614E65176305CECA84B79BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:36.343{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-40157-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:38.000{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F8E0DAFBD3DD6831151C9D2C3D094A8,SHA256=FA79B5BD94A074BD3FD3CCF65AA60E6EBAB30686740AE5D6ABB301F92AE70B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:39.719{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF3AB41DA77714F5B0DD7FC1EC05946,SHA256=AE2F8D0C4D586CB705959F8BA0924C2D78DDCFD265D8C114F048587AA3AD7E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:39.017{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0538105E27093B09AFC9F8CFE33A1039,SHA256=727348D271D47ECCEABBA84BF5EAD55DCAAB435C41127A68372FC6ED6F4A8CF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:40.723{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAC13E4112A4301464779D87E7424D9,SHA256=EC2E0B9A733794411858F907AB5119EC0C5F6FAC83EF4E118216659D62EE4514,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:40.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8487E25664439F4F09EA07D04DF2FF70,SHA256=CFAB5FE245662FEBA4BD54A5CD22827EE01464C5E075B424537DC30BA2D0AFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:40.050{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ADE640B3BC023F16DB95B979582335,SHA256=35F2E85603CAA85D6ED4E9637C4773B39DA5F98FB643EC325C4E5EE1D5F4EC45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:41.734{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6369C91D9EC1C9CF4CC4B235DE44AA5,SHA256=45935C1E5494C74CF76B4F21530BE6B403D435671EA33FCC2FDB35F289BE6E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:41.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75EC679FE2E5D806CF0D580AD01B2825,SHA256=8CAB50AD092C034AA4132FE8B7199DE31AEA7AAE926E6CA228A656175F516545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:41.452{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F21F9F2A94677A32BF4DAF9FEFCE5481,SHA256=664FC650141A3F7D829C72EC36E157B56AFFD5D2C82C412D22C4C36704140E54,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:41.272{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-32702-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:40.948{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50017-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:42.754{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124C77F9509FAF7C493521FE9F30B4D3,SHA256=7576346B8AA32E8A5F31586137110210A9B24715137BC58E793B9D52E208F333,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:42.224{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CE65FD05886ACCD9BEEE1E093ECE5AD,SHA256=BEEE8AF647E8B6C76B94A0DF562323ACF9AC32802FA6B32A523A58F73C3AB19A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:40.764{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-44496-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:39.944{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49752-false10.0.1.12-8000- 23542300x80000000000000001424126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:42.114{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4732FFE99BC6588FB4820CC482C27110,SHA256=11E548B9415677A20523C3BF4328F9247B8A82449AB0E4854260B5EA6430F080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:43.947{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:43.774{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0B3BC086FD9FF8B4684B1C19054837E,SHA256=1480BDDE0C693E92FA4202F0BF117A89988C22A281CF98EECEFCB68B37B2A9D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-192F-6154-8100-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-192F-6154-8100-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.944{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-192F-6154-8100-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.945{69CF5F33-192F-6154-8100-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:43.146{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CA500539086DD17C385BF1A393D89,SHA256=0CA995897162AE4FDDC1D50F7EDF3851AF360C8DA061EA1B14BACD8CE8DE3E28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:44.794{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44A0634D5DC658ABE2439B9734832A64,SHA256=637F6A5CD7954949F95BA39ACF34164C360E8651BFFA2412B78CA6CB65B85BC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:44.543{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EA2BDE653305F1B906300B3355A18AD,SHA256=F739C613F2E093919F7DE5C6161901AE73D691FA823E9A0CEEC592B3DC42581B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.992{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A58150FCF9AC2D5F26BE709047DBB299,SHA256=252C0A6256153B765E2C6F1BBADC052253419F99C4FD810F13481BA9370837F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.757{69CF5F33-1930-6154-8200-00000000FE01}2464660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1930-6154-8200-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1930-6154-8200-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.569{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1930-6154-8200-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.570{69CF5F33-1930-6154-8200-00000000FE01}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001424146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.319{69CF5F33-192F-6154-8100-00000000FE01}31243136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:42.515{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-47812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:44.178{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB2FFB6FA8A3A816D44486A4A9EEC332,SHA256=C86B246CFD421464C3A6A803ED0495DBCEF87A3C40D2D718962DD984DA4571B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.829{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.813{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C5451E160B1BC61B87FBBC01552FC8F,SHA256=711E5FA9154C4ABC857F381A5891D38E5142858296D944C75348A305775C5A7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:43.636{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50018-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x80000000000000001424190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1931-6154-8400-00000000FE01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1931-6154-8400-00000000FE01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.711{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1931-6154-8400-00000000FE01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.712{69CF5F33-1931-6154-8400-00000000FE01}3200C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001424177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:43:45.601{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xbb81adcf) 10341000x80000000000000001424176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.445{69CF5F33-1931-6154-8300-00000000FE01}2812752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.226{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAB84CEE3DE9044D81E3F6B398D06FFC,SHA256=ED0E457194B96E0B9F01029605BD6B0189047765BF87CC3BD83756C416823C04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1931-6154-8300-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1931-6154-8300-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.211{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1931-6154-8300-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.212{69CF5F33-1931-6154-8300-00000000FE01}2812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001517700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.990{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1932-6154-8400-00000000FE01}2748C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.990{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-1932-6154-8400-00000000FE01}2748C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.990{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.990{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.990{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.865{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.865{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.865{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:44.545{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.817{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E703BD4B06058EB9B970AB4F9914937,SHA256=664AA28BCE569CECA8ABE128463C183A549DCE211F285AA99E71776C1A6CEE81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.770{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+4609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.755{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.739{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.739{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:46.739{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:46.366{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179645D0D27D19B67AD3B0B0CE489E38,SHA256=65170683B8730BF65C7729598071535381616FE487666F2D27B73B9088484309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:46.241{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65716BE9B1CAA0E0BD54A4728EA49699,SHA256=E58F0B83D2FC29E3CCFD8C2237DD0722C38137135B2EF19E5F35CE1D029F7C12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.947{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDAE9F0C923AFC98D6A25591644DC5EC,SHA256=5165778944FB10CE3CEB61E0A179C2B0ADE9580D2B8E3EF585259A50935514A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.931{5EBD8912-18A9-6154-0A00-00000000FE01}632708C:\Windows\system32\services.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.931{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.932{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50019-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F91ADAA446FB370C5772FE3A7C6F84BF,SHA256=784AA1C4BEA9E8FB1EBF636A278B9708C220E7D86735D228F2A98F61BEDF72C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CC62E0583056864E6F6D3D51310918AC,SHA256=215F14C30780F28C0BBB54821B3EF7239C989DC7A4BCA97AA7A934DF41F070C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A885DE1545AC711DD02F5DF9B00F921F,SHA256=DC39943CAAB177B8764EA53DA558874F58B2E7F09DE87E4F83D49AA2BC9B1697,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.837{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x103800C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.837{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x103801C:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.126{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-50742-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:47.317{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC7FA839107345CEFCA574FACC93E006,SHA256=E6DE20B84FD1DD28694B121AC158A4D93A679929C605062A709B4B398040E8CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:47.302{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85FDF2F3A7443A793F22766BC9AEF82F,SHA256=472DB8B07F1B8B2E270149F2AE9928173FF01904CD1937224C5E58D5D9C91D6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.743{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.743{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.743{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.649{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48520FE5C3D5760FCB4171C002C61B00,SHA256=2438297962E41A408F5A32CA9090FC7EDA141EDF1417D7397E9FEEFCC3FC187D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.633{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BDAE9F0C923AFC98D6A25591644DC5EC,SHA256=5165778944FB10CE3CEB61E0A179C2B0ADE9580D2B8E3EF585259A50935514A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.633{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=E5C2E5D3FE4B2BBFE5B03296218C70D4,SHA256=67B7AE3A1E8C7C4AC25CD97B4E92464CD526E868B005965A7DFB3DF9C73D8FFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.524{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.524{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 22542200x80000000000000001517721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.545{5EBD8912-18B9-6154-2500-00000000FE01}2836WIN-DC-4290fe80::65e5:9cae:dd2b:361b;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001517720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.545{5EBD8912-18B9-6154-2500-00000000FE01}2836WIN-DC-429010.0.1.14;C:\Windows\System32\spoolsv.exe 22542200x80000000000000001517719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:45.124{5EBD8912-18B9-6154-2500-00000000FE01}2836WIN-DC-4290fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\spoolsv.exe 10341000x80000000000000001517718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.351{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.163{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1643d|C:\Windows\SYSTEM32\ntdll.dll+7f60d|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1e892|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.153{5EBD8912-1933-6154-8500-00000000FE01}4888C:\Windows\System32\msdtc.exe2001.12.10941.16384 (rs1_release.160715-1616)Microsoft Distributed Transaction Coordinator ServiceMicrosoft® Windows® Operating SystemMicrosoft CorporationMSDTC.EXEC:\Windows\System32\msdtc.exeC:\Windows\system32\NT AUTHORITY\NETWORK SERVICE{5EBD8912-18AB-6154-E403-000000000000}0x3e40SystemMD5=308F08347923DEEDE7BC03EC7D485841,SHA256=72DB45CA11FE635DF9F8273C38CBEFB8DF5362ADA0CBF6D2B1E570365DC700C0,IMPHASH=D02F3DF332409C5D3F34BA2D38FC4ED4{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001517705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.147{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.006{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-1932-6154-8400-00000000FE01}2748C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.006{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1932-6154-8400-00000000FE01}2748C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:47.005{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=468C7FE0F07DBF28E5E2795D8209D213,SHA256=A5684172F755CB0350F016EE96D6E114D2CF4AD2E8959653F844FB38138D44A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:47.005{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BC74C89453CD781F43542283BB87A129,SHA256=9CA7D503315CD8D4543416008B5FAD4CDB2B6BA4CE5B5608F88436F8FD7D5D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.952{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F91ADAA446FB370C5772FE3A7C6F84BF,SHA256=784AA1C4BEA9E8FB1EBF636A278B9708C220E7D86735D228F2A98F61BEDF72C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.857{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48FCAC54264B6464A75A7F19872398C7,SHA256=10BA0B6C96787DF5B0F0A526AB3DB25369F6625DFBE1680EECF5334F44EBC448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.857{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B8C1999724CFFCC26B7DBB8BA35B69,SHA256=D13ABBB8E457BC507398A8F194DACC550C6FCF3D6FA14025A3D2817160F4A502,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:45.944{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49753-false10.0.1.12-8000- 23542300x80000000000000001424203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01557E0644A003A158D5E397590180D1,SHA256=19FFADD8890F1230EB6C87D38300B82C9248DAE69CC701CEE803DB818EF1DB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.715{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=4657779D9DCCF356435FE2EEA88EEF68,SHA256=3DF2D27F947E63B23D4A627C960B4FC430B40E94756D7E4EAD4C50E4FE9C438E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.653{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=973301D8847F040B4A71ABBAFCCCB7AD,SHA256=9CD5B75D9E420E0E4D0491DF2A5AEAF7904EFD5664C61C2442634211BC300740,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.480{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2B48E133C598B54E4630D94B2764A5E,SHA256=E8459DA051BB03E9CCE32D5434E40FFC71DAE208F810A781C8B9BF77FEDED201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.433{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.433{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.433{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.355{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.355{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.355{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.339{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.339{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.339{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.308{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.308{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.292{5EBD8912-18AC-6154-1600-00000000FE01}12725032C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+2685b|C:\Windows\system32\wbem\wbemcore.dll+22b78|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.276{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.245{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.245{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.245{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.245{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:48.245{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.097{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2192BE476D84C158B6DC507128A91766,SHA256=7B8F9B84B3C19820F4486F028CE2AF495DAB91D9C689D02C6736737AC27C8D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2192BE476D84C158B6DC507128A91766,SHA256=7B8F9B84B3C19820F4486F028CE2AF495DAB91D9C689D02C6736737AC27C8D0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=60EB49200DF3AECA0ECC6630F60C087B,SHA256=A807472B1B76CEA30D89CD989DA2C430E77BF6111C4BFCB2668E4ABC06BBAF78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.051{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:48.051{69CF5F33-1898-6154-0B00-00000000FE01}6361888C:\Windows\system32\lsass.exe{69CF5F33-1915-6154-7D00-00000000FE01}4084C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001517775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:47.757{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41894-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4CC6B1B3CDE71DC799C3CDE3F4BA98,SHA256=72D8347DC31301684A01464FCC89886C9F90DAA765A90EEE9D9D4541B57CDA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:49.580{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A350C8F4B1C50E524C939CA6E00D8610,SHA256=8AFFEED0DC706046BA153A8DF26F9CF9CA618A988560310C1CC34DBB5638B8F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:47.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:49.330{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14D127841B1B438F00593335DAB92FCE,SHA256=3C5CF0DA4AB61CA2D0734219648FBAEE2A65BB32BFDAE8FE937B27C2728D1804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.853{5EBD8912-18AC-6154-1300-00000000FE01}692NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\WMI\SUM.etlMD5=2A55BB79BDC594E74CA9844916FEA40C,SHA256=300A3CCFFD23F66F0C3C19F64F556A05EB780241DAC56EED20C2ED0630FD80BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.759{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.759{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.759{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.743{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.743{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.743{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.727{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.727{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.727{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1934-6154-8700-00000000FE01}5044C:\Windows\system32\wbem\wmiprvse.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:49.445{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-001MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:49.143{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=468C7FE0F07DBF28E5E2795D8209D213,SHA256=A5684172F755CB0350F016EE96D6E114D2CF4AD2E8959653F844FB38138D44A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:50.876{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1215DCD190279E615AF0E6D5CF70EE1,SHA256=3B9A09E5B847FA8A4B7BA609CDEC49F77E101E167770BEB9DCEEB0643FC21DBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:50.844{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=2FCE55D72A5A494FDF10CAEE1C276382,SHA256=64C926D291F8B4BCD44E2226E686F5D7CA13E60751430557B0D28CE779EA6CFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:50.450{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-002MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:50.135{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFBD9982D9439933D8CF7DC13896BA97,SHA256=2B80A87B7E8C372C5FC20D08918A902DF617E5951486DE48B277188E4BBE3D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:50.344{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69B91621DF785D46DBD1AFC501474B7,SHA256=CA9A9D5224C5FE2949CA750FBF21D2D913BBF2D5D401C7379BE8B13ECB09218A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:51.993{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47ADEABBDA49468CF386939A825D487,SHA256=34DC14D2C6B68CA20DCB52BC566F9A539A8C769EE3C8AB258C9606D8EDAF2932,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:51.359{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458E28567DACD095C23EBA6D74D0F070,SHA256=814A0D6D034BBC06D9536D69E39ED9783AC2D0231BD6302317F592183DEEDAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:52.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2107201CC9B825FDF356145AFE2240A,SHA256=0745155732F49C5C94BAD24FB2AFA83A853933B06B36FACB62DCF6418CCDF6C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:51.022{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49754-false10.0.1.12-8000- 354300x80000000000000001424212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:49.702{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:52.373{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90D772841A57F6DAF3864F0A513571A8,SHA256=23F15B75B69D6A126E8441F5AE3EBB4FBB6B24D727B10EF6EC1141C6252B0950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:52.855{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=782A8A01C2D9664AFA897CC89C43BF26,SHA256=F3D06B16AFD0871FF7D2951ADE2FDD2FEC73D7AA238A95FA25C8935CEC95AED5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:43:52.667{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xbfb7ce46) 23542300x80000000000000001517783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:52.996{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3AD786B581B41384058A120C9C8E36,SHA256=94B6A9463F713920E381D6FD4A45AA3541F64277228A21FBD86837D0CD425383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:53.388{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5FDCA8DCAEE57D87BF79A97EA0077B,SHA256=59DB8EAAC8CB80C731D4EEDE88572CCE5036E2469D9CE745412A2E805A925C5A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:52.660{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:51.744{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50020-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001517784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:54.000{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73BA5E060C7BF738F18DA18BB5B3C5F,SHA256=106C46E66F6D5F6850B3AE1274252661ADC00EB8FF1E18C1953E4037E0138BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:54.809{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D91152AF2BFF1395AF2CE2B8BC29E5F8,SHA256=68AC4EE58E0FAEFDF2E63F2E1F34EDD091C4E5DDAFAEC258BB04D7D0D8D1A8EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:54.403{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46B493C1DD12C1BAEB425457CD142B23,SHA256=32B5874CD9E2A64BEA881D28F66C8459D8A50EC1879792F2356155FEF772CC6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:55.019{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84551F5F1224A0770E914380F7B579CC,SHA256=3F82C961AEE0C156533D86D7AC0E99D527F9F1964DC2F6A0D91B3BBBA291F930,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:52.664{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-1301-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:55.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12B9D6CAC6BB8EBAB7E32F4BF5BA21F2,SHA256=88E12EE125C5CD3BC389305A2173C9C29B6BB71CF55C114A57F6EB0AC4D3761E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:56.417{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D283A35716EDC88B77A5CC9260A95EBB,SHA256=2B5D64C02433667959DF8039893F73CF28112DD78463B14822EEB0776D81E62C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:56.525{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=487785E8C308584365D66607E9BA1099,SHA256=C3C73305B4276A3B04B4DB4A694B9CD01353F67D91D971BA8EE2537EE973A341,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:56.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E32DDF47322D3EF7B38A11076CD6461,SHA256=0C5DF2AF3B4C5A22F7F78394C3E185D95A4A772FE05054B98E9B58C68284DFFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:57.510{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=901EAC55881F6DCAF7A5D2587629608B,SHA256=42D5241F751E7A6A0CD51E6AE073040AD2E33D18CE243753D3D4B052D591CB3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:57.431{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BC0D178F1785E58750C866A58B17F96,SHA256=2D7A61245C42566F6AF64F7E455CDE130CA79209670D4B4AB374DBF6576BC6DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:57.042{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485BC3B22BF1AF162DBABCF8FA3D7BF7,SHA256=D4E017D8A974E5758E1405F469E721C915F8D1C485EC0E656B8E061CC228AA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:55.008{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-4763-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.328{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B3FC2F277A4817CD0026D841B42E281E,SHA256=963CF8D48B074C0DF12D5FA9681C8E9249B0D8A6CAE7E77523BCEB00A84340C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-193E-6154-8800-00000000FE01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-193E-6154-8800-00000000FE01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.313{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-193E-6154-8800-00000000FE01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.314{5EBD8912-193E-6154-8800-00000000FE01}4380C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001517794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:56.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-52701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.140{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A9130BA48A348ABE7622C7253B24C92,SHA256=D5EBD86A4E30A944FFA6DEACA88BDCE4F7CD53B983324E7B38C706A0C3CD3382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.140{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=66B9D806186EFF0B1228C88BBF7A591C,SHA256=BA7C1B33BF74DE039ACD802CC636F4C767D738AF6A32DF0F500B3887B240EF11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.046{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE0CA3D32381FAE5B7070AE2153F646,SHA256=7BCCF5D9A7407BBCADA76A38ECF43856024ABB205C7726151ADC9C6A5F1B126E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:58.446{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E79DF688EAC188027B4302D1F2ED268,SHA256=43382A845CAC04885E3EE9ECED9EC87ACBB47DC1BE4E45C6930A51B449C345C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.928{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D2B1A599360FB54ADF207A8FE8E94BC,SHA256=6374A7AF052CDCF97C3243D1ABCAB0F8713B03C1DF4906093586E91CF4935BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.583{5EBD8912-193F-6154-8900-00000000FE01}22764396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-193F-6154-8900-00000000FE01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:59.461{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E9B3E7D7BB3D4B1158C19857EB929F,SHA256=63DA15FE76F3ABFC44A6B31982EBD767303A94DD8DD11FEA925C2C0D780A15B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-193F-6154-8900-00000000FE01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-193F-6154-8900-00000000FE01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.348{5EBD8912-193F-6154-8900-00000000FE01}2276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.050{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A7B8DA284EEC69F6D6F606603377D9,SHA256=B144DA19A88847E316E3A01FC281AF6F10DEFF1D7A867DF9C2B7AFBE4276557B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:56.990{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49755-false10.0.1.12-8000- 23542300x80000000000000001424229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:00.476{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9ED37EA03B8DEC335A3FC56AFFF05C1,SHA256=043B3345E10A09CF8AB17847EA78551A73B0DC1D05003E7CF8B4AA311F53308C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:57.713{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50021-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001517838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1940-6154-8A00-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1940-6154-8A00-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.116{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1940-6154-8A00-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.117{5EBD8912-1940-6154-8A00-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:00.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4128E2EA7AE5F2E61CE0BED5E4FB8EC5,SHA256=302840CF32482F392CA4A14C2AB98EA7C03029A2CCA002942B02668A7A29E943,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:43:57.550{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-8274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:00.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A560E71C8C4C53AFB78C4ACE75AAE7F,SHA256=72291A371C856E48883A48482B30610ED4E02C57CEE17ADC098E7BFFD76725D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:01.492{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49D5DC47F58EE0D38CF111F233AA1CB,SHA256=DC885CC19DC67424E1895946DA9B0A77BE9305BE65EF3E3D607C0F4E5A2A1C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:59.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-55877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001517843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.572{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50022-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001517842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:43:58.572{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50022-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 23542300x80000000000000001517841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:01.088{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8D56FE4CC21CB625F85FEC77D291C69,SHA256=6010DAF81D543607B4AADAD20FCA245ACA428AA8FD7F072BC6371B47FEABE07B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:01.025{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F3C08D6674FFC6010E50798AEDFF56C,SHA256=33F2CC8734842FE63E155304A78308D0245400037DFABB509CDC397DC4066358,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1942-6154-8C00-00000000FE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1942-6154-8C00-00000000FE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.982{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1942-6154-8C00-00000000FE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.983{5EBD8912-1942-6154-8C00-00000000FE01}4916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001517859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.339{5EBD8912-1942-6154-8B00-00000000FE01}47644784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.120{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CD455499DEB10831CB269CE246C8C,SHA256=69700801EA2346E3D6AAAFA98269BD7B7EAD9A6AA53B0B134B391E3C64D80A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:02.772{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DFCCB8ED897A008C33A3D4A0A161C87,SHA256=C09BFE1C510AE9788E5F73121475B9288E1BA9C4DCEEC33851F6B26A3B30ABC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:02.507{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ECA10F04B7C4447CCFB0845D6894F7B,SHA256=117F955600444CFF0235B612E3F186C6F4192E1862BED006D96D3D5DBD7CF596,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:00.417{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-11417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001517857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1942-6154-8B00-00000000FE01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1942-6154-8B00-00000000FE01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.057{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1942-6154-8B00-00000000FE01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.058{5EBD8912-1942-6154-8B00-00000000FE01}4764C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001517890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.719{5EBD8912-1943-6154-8D00-00000000FE01}39323260C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1943-6154-8D00-00000000FE01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1943-6154-8D00-00000000FE01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.484{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1943-6154-8D00-00000000FE01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.485{5EBD8912-1943-6154-8D00-00000000FE01}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001517876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:01.391{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-58650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001517875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.202{5EBD8912-1942-6154-8C00-00000000FE01}49164964C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001517874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.123{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4184DC7E0FB1155DC28E9DD2A87FF9AA,SHA256=2E15AF45A19E21FE1EF98CCD921FC905BF5EB1FB89F918A6EDED7A9B67D0F7C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:03.522{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=401A9F14B4AFE1402A6B26478902A435,SHA256=CDDA7C8A6987B9146CF92FF092B13DE84FF7975122917CA03B6E15D308301DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:03.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B5167A5076422B15B695F4493F4A7065,SHA256=000590196BC735E8C9AB2D08AE488DEBFA6ABF0377C7D9A50ABF912DF5706E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1944-6154-8E00-00000000FE01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1944-6154-8E00-00000000FE01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.942{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1944-6154-8E00-00000000FE01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.943{5EBD8912-1944-6154-8E00-00000000FE01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001517893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.487{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E0B54F18AC8C309762938B59BAC10E1,SHA256=66E934C3473288402E2FC46473DDBFE9318331893511A8C72EBC4EE703B2E95E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.378{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B0D9CCBDDC2D696F3E73C9DA0BBAFD2,SHA256=CED3C6339BABC7BCE2542A3ED5966410BCEB870FFD97B320FDB8D3A41894EA40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:04.537{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6597DB0E3C9FEFAD425AFA96FA0CE1DD,SHA256=7D37608C745762D356F926018DFA5A58193A6EF55F153085921EBB07490DC70D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:02.710{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50023-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001424238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:05.552{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9044FDC33358AAC56C42CB2E7F72486,SHA256=8D149B98F7907730370A8F3F7396925937ACBEB59B76AB79F300A3DC2F159211,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:05.945{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=634EF308C584D31011636DF3CCCB059F,SHA256=8ECB38165DF71DADEE1E87C99134FA1CCAD86A35AF7159AC34C618C7AD03F72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:05.397{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E35664E5979325D4DE6300EAD9D1782E,SHA256=69CE5244365067B22791D2F96804DC2C56854E2EE7AE066B13B72DC00D4BCBB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:03.089{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-15212-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:03.022{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49756-false10.0.1.12-8000- 23542300x80000000000000001517910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:06.573{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667CB87CA4F2BD61463DB75BBC70146B,SHA256=212800005B254C418A953A943740C166AD8960C11702D0E1A58B4DC2F4366D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:06.849{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69C0C663E1F8EE93307D9653423D4942,SHA256=E56AE8CAAC9E557FD287E1B77589D91B5592324E7D992532508DAA081D86D05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:06.568{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B0F219633588910B6FCBA5C42FA5F8F,SHA256=63AA890E9092E506AC5F8477068AD4DDB841CF8CAC0CA0BA0FC2DD6D93B1FF3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:04.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-3305-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:07.576{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D374A7411ECBF887565420B4D5DD0856,SHA256=A7AF855F012E8BF61D698136D8D892CE85ECB262DBCA1E9838DE8A1655A8C698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:07.583{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BFBB7A1D11F2615AF1F3336FCC94507,SHA256=BDA0C4FE4E3FB8B53B33B37513EF1714BF29C92496802D059050A5049E553B1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:08.924{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61641D142D001011255476B97C7453A1,SHA256=413019136B54F7FD391ABCF60617283C1811C1C77AB5E9421555A5EABEC55827,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:08.705{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xc946ef69) 354300x80000000000000001517913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:06.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:08.579{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1111F6D5D1D22DD05FBAD84954A88162,SHA256=D32D94714B3E25A2CAF39DA816FF646E26AF726150FDB56B2993818516583D72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:08.598{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C8E9C4A51A46062680617607B29D98,SHA256=A7C84DFB21B301FAF693483F2AF69C533E38589DD73421C3D8CE9C6CC7F40777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:09.582{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F18E6243A7C0D8D108EA9E670FC772F4,SHA256=87EEFFE7DB0D2799D29A84CA36EF88D35F9C8769A06A1F6DE20F23FA8E50253D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:09.614{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=815ACD3D114033F7531D73BAF6341EEF,SHA256=83C6A8DDC790F4770EF155C2515E06623178A86DB4485E5C96EE53BDE165A4AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:07.425{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20516-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001517918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:10.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3953FADE05AE722072E4E379A76CFD6A,SHA256=D4888B4BAFF5730C31E8AD958D805E76B1CDE2F056FDBDD0245D8E0F138F7B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:10.629{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF981FECC3882D33C58DFDB1F65EA10A,SHA256=5F2EDE022CBB5A8E8D684BAE9239641C710D3EA27A5E1366C7B327C0116D7B1B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:07.774{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50024-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001424247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:08.943{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49757-false10.0.1.12-8000- 23542300x80000000000000001424246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:11.645{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FBB04B4ED0DE252A0FAF61D5754FB88,SHA256=B48AD2567EE117F0BF3994788DD2C2573E23B69188DBFEAAF2E9640804FD10CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001517923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:09.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-10317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001517922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:11.871{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0EBB06AE9570448A67A79533AD9F7976,SHA256=632108B07A72D801607E95D2B56FC286886FF7D1434E21F56E546B36FBBDDA0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:11.871{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A9130BA48A348ABE7622C7253B24C92,SHA256=D5EBD86A4E30A944FFA6DEACA88BDCE4F7CD53B983324E7B38C706A0C3CD3382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:11.714{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCC491D1D61EA71535DA2749E145B31,SHA256=9974FE7F2FF766BB9BFFD835E0179E9073B4291A8AC721423C3565F9AA9B71F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001517919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:11.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84DD7176D462FA71214FB429DD6DAAA4,SHA256=DD521F7116D2321A0C89CF9E795C4E76A67CB020AB72567CE64C4357C205F6A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:12.660{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D2436CFB007416E42231EBF8FF4825,SHA256=AF40B3AF33CE1CA7DCAC23AB591D46F62059A3219E905F14C85F84FCD930A5E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:09.670{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.104.91.170ppp-93-104-91-170.dynamic.mnet-online.de49847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001518043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.937{5EBD8912-194C-6154-9200-00000000FE01}25244456C:\Windows\system32\LogonUI.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\logoncontroller.dll+2eef5|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.937{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.937{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.937{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.906{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.906{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.906{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4227ACE1553AFB3BA0EB602DF57EE63A,SHA256=0DDCF7477FDE8F2D44F706058FE097B25F0B4C6B6E3C343CD1AA263F1CA0A20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.890{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31DC546524C3B776410DDFBF527F6A10,SHA256=74C78CB219EC8092F636C7D26069E2B874729135AB298F87A6254C04D60EEF63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.859{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3926D0012A74C925A27CEBB1EFCBDED2,SHA256=5494852D1C23D144972B0891736E62F6D50F6284FC1608C4C4D7818F9854993A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.859{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B530CE63B49D36C8F8396546DF7C1E1,SHA256=BB66819579AABA71C674E8005545C9B8AD7011A0DDD1B9D941EECB4FE61E5F93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.859{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A21FFEF36720ECFEB9865842708BFB7C,SHA256=9AEFFDFFA8DB1E459A7191868513C4FC193BA34B8D9309A521DE347C025E987F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.780{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-194C-6154-9100-00000000FE01}39164368C:\Windows\system32\winlogon.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\SYSTEM32\dwminit.dll+2d11|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.687{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\System32\dwm.exe10.0.14393.0 (rs1_release.160715-1616)Desktop Window ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationdwm.exe"dwm.exe"C:\Windows\system32\Window Manager\DWM-2{5EBD8912-194C-6154-690C-090000000000}0x90c692SystemMD5=C89F159A577F19F7F03C73C98D29D841,SHA256=B3E37997C1C62DD90D69EF83D6A6FC782BF9A5B8AD04A0D1528A8B7FA31AA408,IMPHASH=DDB7DE3741333EE031929A760FCD4542{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001518014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1b140|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.670{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.670{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.639{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.639{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.639{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.639{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.608{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.608{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.592{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.592{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-194C-6154-9100-00000000FE01}39163388C:\Windows\system32\winlogon.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+193b7|C:\Windows\system32\winlogon.exe+22617|C:\Windows\system32\winlogon.exe+2b287|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001517988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.581{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\System32\LogonUI.exe10.0.14393.0 (rs1_release.160715-1616)Windows Logon User Interface HostMicrosoft® Windows® Operating SystemMicrosoft Corporationlogonui.exe"LogonUI.exe" /flags:0x2 /state0:0xa3a5a855 /state1:0x41c64e6dC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e72SystemMD5=B38DFCF985D8AE5B1A17C264981E61C7,SHA256=AA62D29803D52EC06CD27ED3124E034048F09606EB7342181913C9817C7B44C5,IMPHASH=A6F3A84D171E55B51A7343E05C8DFAC3{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001517987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.576{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.561{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+4689|c:\windows\system32\themeservice.dll+3fdd|c:\windows\system32\themeservice.dll+3c53|c:\windows\system32\themeservice.dll+2675|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.561{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.561{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.561{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001517980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:12.545{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exeHKU\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001517979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.435{5EBD8912-194C-6154-9000-00000000FE01}28444348C:\Windows\system32\csrss.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\winsrv.DLL+1ef0|C:\Windows\system32\winsrv.DLL+17e9|C:\Windows\system32\winsrv.DLL+1579|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001517978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.247{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72E858B01FE98D5CDA0807F2180774A3,SHA256=9FF24128BFAD885BA7D99D46D8B0169A0DAE24D47BE53B7881997CFE17FA59C2,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001517977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001517976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001517975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\mouclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001517974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001517973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000002) 13241300x80000000000000001517972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.153{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Mouse0 13241300x80000000000000001517971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\NextInstanceDWORD (0x00000002) 13241300x80000000000000001517970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\CountDWORD (0x00000002) 13241300x80000000000000001517969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\kbdclass\Enum\1TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 13241300x80000000000000001517968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\NextInstanceDWORD (0x00000001) 13241300x80000000000000001517967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\CountDWORD (0x00000001) 13241300x80000000000000001517966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:12.122{5EBD8912-1892-6154-0100-00000000FE01}4SystemHKLM\System\CurrentControlSet\Services\terminpt\Enum\0TERMINPUT_BUS\UMB\2&2c22bcc9&0&Session2Keyboard0 10341000x80000000000000001517965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.106{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2387f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.106{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+2380c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.106{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+237c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:12.035{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60502BA76DA48DFA40488BE50F9B8118,SHA256=6D171487AE7DCCB7C2F9AC0F34DFFA812C50749928DD66131B39076F9CF9DCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:12.035{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1FFDF1B0D33450F072A55E1FF05E72E,SHA256=664E49FE38C914100A00D881A0374992977F776CDEE0904944DC2AD6BEC3DD81,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001517962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9000-00000000FE01}2844C:\Windows\system32\csrss.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1ac1c|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001517952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1abf6|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001517951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+1abdc|c:\windows\system32\lsm.dll+22cc9|c:\windows\system32\lsm.dll+bcaf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001517950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-194C-6154-8F00-00000000FE01}40922080C:\Windows\System32\smss.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+1d5e|\SystemRoot\System32\smss.exe+1b09|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001517949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.090{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\System32\winlogon.exe10.0.14393.3204 (rs1_release.190830-1500)Windows Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationWINLOGON.EXEwinlogon.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e72SystemMD5=DEA4CE12F24601830083126E18A2C7C9,SHA256=F002F8C2EA49D21F242996E3D57F5FDD7995FE6DB524BB69BBD7F190CC0211A9,IMPHASH=3CF10D94C117DB4F6E9D523B93429D6D{5EBD8912-194C-6154-8F00-00000000FE01}4092C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001cc 0000007c 10341000x80000000000000001517948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.075{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-194C-6154-9000-00000000FE01}2844C:\Windows\system32\csrss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.075{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9000-00000000FE01}2844C:\Windows\system32\csrss.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eacf|c:\windows\system32\lsm.dll+1a7a4|c:\windows\system32\lsm.dll+1aa31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.028{5EBD8912-194C-6154-8F00-00000000FE01}40922080C:\Windows\System32\smss.exe{5EBD8912-194C-6154-9000-00000000FE01}2844C:\Windows\system32\csrss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+1ee4|\SystemRoot\System32\smss.exe+20a1|\SystemRoot\System32\smss.exe+1c92|\SystemRoot\System32\smss.exe+1af6|\SystemRoot\System32\smss.exe+14cb|\SystemRoot\System32\smss.exe+130f|\SystemRoot\System32\smss.exe+1096|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001517936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.043{5EBD8912-194C-6154-9000-00000000FE01}2844C:\Windows\System32\csrss.exe10.0.14393.2969 (rs1_release.190503-1820)Client Server Runtime ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationCSRSS.Exe%%SystemRoot%%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e72SystemMD5=955E9227AA30A08B7465C109B863B886,SHA256=D896480BC8523FAD3AE152C81A2B572022C3778A34A6D85E089D150A68E9165E,IMPHASH=273BC9D936389D79244E6E56BE5096B6{5EBD8912-194C-6154-8F00-00000000FE01}4092C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 000001cc 0000007c 10341000x80000000000000001517935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-1892-6154-0200-00000000FE01}320328C:\Windows\System32\smss.exe{5EBD8912-194C-6154-8F00-00000000FE01}4092C:\Windows\System32\smss.exe0x101441C:\Windows\SYSTEM32\ntdll.dll+a6cc4|\SystemRoot\System32\smss.exe+3fee|\SystemRoot\System32\smss.exe+3b53|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001517934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001517925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.012{5EBD8912-1892-6154-0200-00000000FE01}320960C:\Windows\System32\smss.exe{5EBD8912-194C-6154-8F00-00000000FE01}4092C:\Windows\System32\smss.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\SYSTEM32\ntdll.dll+8c63e|C:\Windows\SYSTEM32\ntdll.dll+8c3e9|\SystemRoot\System32\smss.exe+2795|\SystemRoot\System32\smss.exe+2042|\SystemRoot\System32\smss.exe+36ee|\SystemRoot\System32\smss.exe+3c31|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\ntdll.dll+5178f 154100x80000000000000001517924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.022{5EBD8912-194C-6154-8F00-00000000FE01}4092C:\Windows\System32\smss.exe10.0.14393.2969 (rs1_release.190503-1820)Windows Session ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationsmss.exe\SystemRoot\System32\smss.exe 000001cc 0000007c C:\Windows\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e72SystemMD5=725EC50D4B0F607BF5B45B5E0115770B,SHA256=56881BCAEAC350107A6453F38F020FE0E284DBE2E8A6F37ED482985E0DD98EA7,IMPHASH=09DDECA5943933973FE7DDDD24ED724A{5EBD8912-1892-6154-0200-00000000FE01}320C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe 23542300x80000000000000001424251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:13.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7010F023993D74C51FFE0347AD907EE2,SHA256=8B989009D96EE9EE1186C146C59742BE1F4BA7D005DBABD8199BFAEF98E0B8B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2de4|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2dce|c:\windows\system32\lsm.dll+57af|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.987{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+57a4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+2f9b|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+2f4d|c:\windows\system32\lsm.dll+5727|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+5b40|c:\windows\system32\lsm.dll+5f9d|c:\windows\system32\lsm.dll+5718|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.971{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+56c4|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.956{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.956{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.956{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.956{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.924{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+195f6|C:\Windows\system32\lsasrv.dll+1ab9f|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.894{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.752{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.752{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.752{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AC-6154-0F00-00000000FE01}961152C:\Windows\System32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.705{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.689{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.689{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18AC-6154-0F00-00000000FE01}962124C:\Windows\System32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6aa58|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.673{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.532{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=033A7220A58CA299D0DFC7223B752DAA,SHA256=F654C0BE523D9869B49AD5B1BA5124F3FF8E5F8F91987CFB5ADE71F4BEB057E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.501{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.501{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.501{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.501{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001518076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:13.376{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.376{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001518072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:13.360{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 18141800x80000000000000001518071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:13.344{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001518068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:13.344{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 17141700x80000000000000001518067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:44:13.344{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AC-6154-0F00-00000000FE01}964416C:\Windows\System32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\termsrv.dll+a1087|c:\windows\system32\termsrv.dll+6a73d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.344{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x147aC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\themeservice.dll+3de3|c:\windows\system32\themeservice.dll+26c0|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+396a|c:\windows\system32\SYSNTFY.dll+1fc3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.329{5EBD8912-18AC-6154-1600-00000000FE01}12721384C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.000{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9200-00000000FE01}2524C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+3a1a|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001518383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.974{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001424255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.738{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDB352F29B62DED7662478FC6351698,SHA256=FFE98FFAFBA97865CE797B61824FD757846031B8DF52B37E104626061CF95861,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.959{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\sessenv.dll+3de88|c:\windows\system32\sessenv.dll+f881|c:\windows\system32\sessenv.dll+677c|c:\windows\system32\SYSNTFY.dll+1e8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.912{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.912{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.912{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.912{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3DED33BD2F79580CCAAD6598CB059D,SHA256=3169DE18E91BC606A7ABC5328E100BF1388711ECEC5AB01E5D32A89A745CE554,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.818{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.802{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9B00-00000000FE01}2084C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9B00-00000000FE01}2084C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AC-6154-1600-00000000FE01}12721792C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9B00-00000000FE01}2084C:\Windows\system32\ServerManagerLauncher.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0971487B08F0B6BB142991FCEEBCBF08,SHA256=4C274EF1FF0DE00F5AFFD1776A11D13516E2F97777B0EA92C8C34282C8E1327B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1700-00000000FE01}1376C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.786{5EBD8912-18A9-6154-0A00-00000000FE01}632300C:\Windows\system32\services.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.771{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+1dc37|C:\Windows\system32\services.exe+17f38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000001518352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\Description@%%SystemRoot%%\system32\WpnUserService.dll,-2 13241300x80000000000000001518351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\Security\SecurityBinary Data 13241300x80000000000000001518349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\DisplayNameWindows Push Notifications User Service_9d5c8 13241300x80000000000000001518348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\ErrorControlDWORD (0x00000000) 13241300x80000000000000001518346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\StartDWORD (0x00000003) 13241300x80000000000000001518345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\WpnUserService_9d5c8\TypeDWORD (0x000000e0) 13241300x80000000000000001518344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-14000 13241300x80000000000000001518343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\Security\SecurityBinary Data 10341000x80000000000000001518341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\DisplayNameUser Data Access_9d5c8 13241300x80000000000000001518339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\ErrorControlDWORD (0x00000000) 13241300x80000000000000001518337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\StartDWORD (0x00000003) 13241300x80000000000000001518336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UserDataSvc_9d5c8\TypeDWORD (0x000000e0) 10341000x80000000000000001518335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-10002 13241300x80000000000000001518333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\Security\SecurityBinary Data 13241300x80000000000000001518331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\DisplayNameUser Data Storage_9d5c8 13241300x80000000000000001518330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\ImagePathC:\Windows\System32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\ErrorControlDWORD (0x00000000) 13241300x80000000000000001518328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\StartDWORD (0x00000003) 13241300x80000000000000001518327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\UnistoreSvc_9d5c8\TypeDWORD (0x000000e0) 10341000x80000000000000001518326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\Description@%%SystemRoot%%\system32\UserDataAccessRes.dll,-15000 13241300x80000000000000001518323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\Security\SecurityBinary Data 13241300x80000000000000001518321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\DisplayNameContact Data_9d5c8 13241300x80000000000000001518320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\ErrorControlDWORD (0x00000000) 13241300x80000000000000001518318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\StartDWORD (0x00000003) 13241300x80000000000000001518317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\PimIndexMaintenanceSvc_9d5c8\TypeDWORD (0x000000e0) 13241300x80000000000000001518316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\Description@%%SystemRoot%%\system32\APHostRes.dll,-10001 13241300x80000000000000001518315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\Security\SecurityBinary Data 13241300x80000000000000001518313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\DisplayNameSync Host_9d5c8 13241300x80000000000000001518312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\ErrorControlDWORD (0x00000000) 13241300x80000000000000001518310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\StartDWORD (0x00000002) 13241300x80000000000000001518309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\OneSyncSvc_9d5c8\TypeDWORD (0x000000e0) 23542300x80000000000000001518308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.756{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=0EBB06AE9570448A67A79533AD9F7976,SHA256=632108B07A72D801607E95D2B56FC286886FF7D1434E21F56E546B36FBBDDA0B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001518307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\Description@%%SystemRoot%%\system32\cdpusersvc.dll,-101 13241300x80000000000000001518306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\FailureActionsBinary Data 13241300x80000000000000001518305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\Security\SecurityBinary Data 13241300x80000000000000001518304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\DisplayNameCDPUserSvc_9d5c8 13241300x80000000000000001518303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\ImagePathC:\Windows\system32\svchost.exe -k UnistackSvcGroup 13241300x80000000000000001518302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\ErrorControlDWORD (0x00000001) 13241300x80000000000000001518301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1031,T1050SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\StartDWORD (0x00000002) 13241300x80000000000000001518300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:14.756{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exeHKLM\System\CurrentControlSet\Services\CDPUserSvc_9d5c8\TypeDWORD (0x000000e0) 10341000x80000000000000001518299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.739{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.708{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FB815F4FE44923C6E7AA711F63E3EE,SHA256=3EA5FC54FCA6891462EE675C9E5CD22144655F29BE6A39452287ABFFE0E51852,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.708{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.692{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+6260e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.692{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+625bd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 18141800x80000000000000001518294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:14.692{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 18141800x80000000000000001518293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:14.661{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001518289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:14.645{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AC-6154-1600-00000000FE01}12721516C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+1f3a|c:\windows\system32\lsm.dll+1cd9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.645{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1c24|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001518281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:14.630{5EBD8912-18AC-6154-0F00-00000000FE01}96\TSVCPIPE-61313fc7-ccae-49fe-b772-d5293d42d7afC:\Windows\System32\svchost.exe 10341000x80000000000000001518280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.630{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.630{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001518278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.630{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001518277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.567{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:14.551{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\MuiCached\MachinePreferredUILanguagesBinary Data 10341000x80000000000000001518270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9300-00000000FE01}1612C:\Windows\system32\dwm.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.536{5EBD8912-18AC-6154-0F00-00000000FE01}962124C:\Windows\System32\svchost.exe{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\termsrv.dll+47f71|c:\windows\system32\termsrv.dll+1982c|c:\windows\system32\termsrv.dll+2320b|c:\windows\system32\termsrv.dll+22643|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 154100x80000000000000001518260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.531{5EBD8912-194E-6154-9600-00000000FE01}1296C:\Windows\System32\rdpclip.exe10.0.14393.3503 (rs1_release.200131-0410)RDP Clipboard MonitorMicrosoft® Windows® Operating SystemMicrosoft Corporationrdpclip.exerdpclipC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=D887E718FB0F4C99B9F01C5BD59F8B90,SHA256=ACFA1128B4EDD953F6364FA6216337A59C0522A01349263A11259A827838A56F,IMPHASH=5A464814303942D42A66B561CF697F26{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k termsvcs 10341000x80000000000000001518259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.520{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 13241300x80000000000000001518258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:14.504{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\UserPreferencesMaskBinary Data 13241300x80000000000000001518257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:14.504{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\SmoothScrollNo 13241300x80000000000000001518256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:14.504{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Remote\2\Control Panel\Desktop\WindowMetrics\MinAnimate0 10341000x80000000000000001518255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.504{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.504{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CA37A6846A81255553E09DC29410FB1,SHA256=52D1D7E3666A866F7AEAA7BF79796477B3153EBBE812A5931909B7D676AE7202,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.491{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.473{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=42CA5CFBE3E370BBB04804C201ABFA3F,SHA256=8EFAA893EA198609AC2FE3CDC6C98207D97E34FF3866B900FF87E650A14D1051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.457{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D304F25F184443FAF49D085FDABA10,SHA256=E12C1A8E07AC5390C24755BD2917A18D7BE5FA1D3A2334D927BEC98D1E4EC10D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.442{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.442{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\system32\TSTheme.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.427{5EBD8912-194E-6154-9500-00000000FE01}4188C:\Windows\System32\TSTheme.exe10.0.14393.4169 (rs1_release.210107-1130)TSTheme Server ModuleMicrosoft® Windows® Operating SystemMicrosoft CorporationTSThemeS.exeC:\Windows\system32\TSTheme.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=D5E6B1DA9AEE1CC85A50894A07700B98,SHA256=3A22AAA677B8B658386F6A22ECFB36795DC1BE55AED591FEAA05CA8D36973464,IMPHASH=851EBF0BAEED8A212E02B93229FDC674{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001518224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.426{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18B9-6154-2500-00000000FE01}28362940C:\Windows\System32\spoolsv.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\spoolsv.exe+1b7a3|C:\Windows\System32\spoolsv.exe+1b609|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a27b|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6668|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2500-00000000FE01}2836C:\Windows\System32\spoolsv.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|c:\windows\system32\lsm.dll+23fc9|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.410{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852988C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+157b1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23e0b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1439d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852956C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+f290|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+796b|c:\windows\system32\lsm.dll+37c3|c:\windows\system32\SYSNTFY.dll+1dcb|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49e78|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\system32\winlogon.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\SYSNTFY.dll+1ad9|C:\Windows\System32\RPCRT4.dll+48674|C:\Windows\System32\RPCRT4.dll+31850|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.394{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69C9B86BDF2BBD8CE4ACB3C333D483B9,SHA256=29A9BA3FCE9BFD113173BDB96D8E8ADF20C9842A4E205DF9153FA100A6DB0661,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60502BA76DA48DFA40488BE50F9B8118,SHA256=6D171487AE7DCCB7C2F9AC0F34DFFA812C50749928DD66131B39076F9CF9DCCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.332{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.316{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F715A8BF0345EC8566A31F24A6052774,SHA256=D0317C492F26ED943EF285A844E9397B8B9B0477AAF6C89AE0282E92578B04C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.285{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.269{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.222{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9400-00000000FE01}8C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.159{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FAE96CEC9F320745A7B8287383575D,SHA256=ABFC18A4264CF84301B63D7FA1E6F95826618B184149CD9BDB14BD2C1739A81B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.097{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-194E-6154-9400-00000000FE01}8C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.097{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194E-6154-9400-00000000FE01}8C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.065{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.957{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.925{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326E1774987C9646AF2077BF3FF5177F,SHA256=5B23F413046E01EA81992900ED25EAFCFE5456FDB88AA19742C526C7B2477E0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.894{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9B0C3EBDAD6DAE50B48B5EF5A8590EE,SHA256=88495852FFE3DDBB6B280F7DFB296602377DEA6D51D9D1B8FBADBBA50D176B13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001424348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.800{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.785{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2dba0.TMPMD5=FDBF4F623A74EE0CA6F7EB1E2C12CA2C,SHA256=F09D503514AA47FEA30D27E1DAE8242D3498BBD90E664BF077E350A591E764AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.946{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=AE8B0937DC1379E10E983C058B53846B,SHA256=8A48A72E071426D625F6566E89AAF34E8528049EF3D8AB4A11E7E0154652907E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.930{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.930{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.868{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.868{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.868{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.805{5EBD8912-194F-6154-A000-00000000FE01}36244864C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\appxdeploymentserver.dll+6468b|c:\windows\system32\appxdeploymentserver.dll+2d35e|c:\windows\system32\appxdeploymentserver.dll+2d19d|c:\windows\system32\appxdeploymentserver.dll+115046|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.789{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.789{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.789{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.774{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.758{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001518449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT10532021-09-29 07:44:15.758{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTask2021-09-27 07:58:56.096 23542300x80000000000000001518448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\Windows\System32\Tasks\CreateExplorerShellUnelevatedTaskMD5=7A2163BAF11F784E3E14894450E1185D,SHA256=299A7F1EA1B6D7319064263EF354F04C7B1EE1BA5CDE1D75F606F1708CE58615,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18A9-6154-0A00-00000000FE01}632708C:\Windows\system32\services.exe{5EBD8912-194F-6154-A000-00000000FE01}3624C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A000-00000000FE01}3624C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18AC-6154-1600-00000000FE01}12721492C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.742{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-A000-00000000FE01}3624C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18A9-6154-0A00-00000000FE01}6322896C:\Windows\system32\services.exe{5EBD8912-194F-6154-A000-00000000FE01}3624C:\Windows\system32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1d1c8|C:\Windows\system32\lsasrv.dll+1c3f1|C:\Windows\system32\lsasrv.dll+1ac10|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.727{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-18A9-6154-0A00-00000000FE01}632C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC994F0B12F05DF02569ACC04B5F915D,SHA256=18DC89B7CFF630F84A50458DD03038486355468032574796D9EDF5A50586B506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=46843DD7FD9763B5ECD51A359876E13E,SHA256=B2306BA2B7E911A6CAFB174506B89C920ED4EEDEDF5DCA7508A0456406A53E37,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.900{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local50028-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001518432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.900{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50028-false10.0.1.14win-dc-429.attackrange.local389ldap 10341000x80000000000000001518431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.398{5EBD8912-194F-6154-9D00-00000000FE01}44044576C:\Windows\system32\userinit.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+26f6|C:\Windows\system32\userinit.exe+30fd|C:\Windows\system32\userinit.exe+3755|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.397{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe10.0.14393.4169 (rs1_release.210107-1130)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationCALC.EXEC:\Windows\System32\calc.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=2A5CC198FEFC04C2B6B95207A91D3668,SHA256=04FA16D1FBB5F047E7BF9756E8DDC1365AFEAAB22DD4A2C3F03E067B75BED8EA,IMPHASH=3843C3D4A5A7D1045ABE9A4BFCFAAB28{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000001518424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-194F-6154-9D00-00000000FE01}44044576C:\Windows\system32\userinit.exe{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\Explorer.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\userinit.exe+1cd8|C:\Windows\system32\userinit.exe+23e5|C:\Windows\system32\userinit.exe+346e|C:\Windows\system32\userinit.exe+3725|C:\Windows\system32\userinit.exe+4553|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.382{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.301{5EBD8912-194F-6154-9E00-00000000FE01}4084C:\Windows\explorer.exe10.0.14393.4169 (rs1_release.210107-1130)Windows ExplorerMicrosoft® Windows® Operating SystemMicrosoft CorporationEXPLORER.EXEC:\Windows\Explorer.EXEC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=F7FDECA990692D53D7E4E396B0BD711E,SHA256=1F955612E7DB9BB037751A89DAE78DFAF03D7C1BCC62DF2EF019F6CFE6D1BBA7,IMPHASH=8D2880102609AA4B23679BD4FEBEBC95{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\System32\userinit.exeC:\Windows\system32\userinit.exe 10341000x80000000000000001518417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AC-6154-1600-00000000FE01}12721492C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\system32\userinit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.272{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\system32\userinit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.892{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50027-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001518410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.892{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50027-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001518409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.885{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50026-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001518408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.885{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50026-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 10341000x80000000000000001518407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.241{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.241{5EBD8912-194C-6154-9100-00000000FE01}39164424C:\Windows\system32\winlogon.exe{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\system32\userinit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\winlogon.exe+15b13|C:\Windows\system32\winlogon.exe+ea76|C:\Windows\system32\winlogon.exe+b12f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.245{5EBD8912-194F-6154-9D00-00000000FE01}4404C:\Windows\System32\userinit.exe10.0.14393.0 (rs1_release.160715-1616)Userinit Logon ApplicationMicrosoft® Windows® Operating SystemMicrosoft CorporationUSERINIT.EXEC:\Windows\system32\userinit.exeC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=C1B1FFC800BE2F31EB2CF8CB40629C69,SHA256=CFC6A18FC8FE7447ECD491345A32F0F10208F114B70A0E9D1CD72F6070D5B36F,IMPHASH=BFA137B16F3492AFCA0551687B067C04{5EBD8912-194C-6154-9100-00000000FE01}3916C:\Windows\System32\winlogon.exewinlogon.exe 10341000x80000000000000001518404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.225{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.068{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=089DAF8D8AE6629316CACB77BB667E44,SHA256=959145D51215A39A9A5281C0EFB8C3E93D681158B93B1F09327DFE48B09B9CBE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.068{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+1969|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.068{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\ncbservice.dll+165c|c:\windows\system32\ncbservice.dll+227a|c:\windows\system32\ncbservice.dll+205e|c:\windows\system32\ncbservice.dll+1bdb|c:\windows\system32\ncbservice.dll+181b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.068{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+17cf|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.068{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:13.617{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50025-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001518397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.686{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-61214-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001518396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:12.386{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60301- 354300x80000000000000001518395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:11.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001518394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+2f95|c:\windows\system32\ncbservice.dll+2e77|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.990{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.738{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.738{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.675{69CF5F33-1899-6154-1100-00000000FE01}9722600C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8800-00000000FE01}3184C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001424338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1898-6154-0B00-00000000FE01}6363900C:\Windows\system32\lsass.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1898-6154-0B00-00000000FE01}6363900C:\Windows\system32\lsass.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.567{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.519{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=F743C929B996B71DED6D00EC1B970F64,SHA256=4016B3FC2A33878938C4D587AC6F8897025666FAD80AFB3D02805B4A805897C1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.472{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8800-00000000FE01}3184C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.458{69CF5F33-194F-6154-8B00-00000000FE01}12043140C:\Windows\system32\conhost.exe{69CF5F33-194F-6154-8700-00000000FE01}3800C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-194F-6154-8C00-00000000FE01}36483628C:\Windows\system32\conhost.exe{69CF5F33-194F-6154-8800-00000000FE01}3184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.441{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8C00-00000000FE01}3648C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8B00-00000000FE01}1204C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8A00-00000000FE01}2928C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-1100-00000000FE01}9722600C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8A00-00000000FE01}2928C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.425{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8900-00000000FE01}1816C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8700-00000000FE01}3800C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-1100-00000000FE01}972696C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8900-00000000FE01}1816C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-1100-00000000FE01}9722592C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8700-00000000FE01}3800C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8800-00000000FE01}3184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-1100-00000000FE01}9722288C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8800-00000000FE01}3184C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-1100-00000000FE01}9722596C:\Windows\system32\svchost.exe{69CF5F33-194F-6154-8600-00000000FE01}108C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732948C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732848C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732768C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.410{69CF5F33-1899-6154-0C00-00000000FE01}732952C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:12.667{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27270-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.832{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC01D2C5AADB780DF8D9B0D9084BC4,SHA256=29401AD552C0094135845ABAB5BEA51E7F62859DACA80F9DC2056C7A420535A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.214{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-30468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.990{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49759-false10.0.1.12-8000- 10341000x80000000000000001518511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.896{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.896{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.771{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.740{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7AFF14FCAEF46FF950A19540A40BD9A,SHA256=80FBBAA5F5E7F34EBD85AAD65A896303E1895EC8316BA6A1BED46FE6785F6509,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001518507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:16.724{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001518506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:16.724{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 10341000x80000000000000001518505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.724{5EBD8912-1933-6154-8600-00000000FE01}49484988C:\Windows\system32\sppsvc.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+7eaa8|C:\Windows\system32\sppsvc.exe+748f0|C:\Windows\system32\sppsvc.exe+957de|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4 10341000x80000000000000001518504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.724{5EBD8912-1933-6154-8600-00000000FE01}49484988C:\Windows\system32\sppsvc.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\KERNELBASE.dll+221bd|C:\Windows\system32\sppsvc.exe+8d719|C:\Windows\system32\sppsvc.exe+74a0a|C:\Windows\system32\sppsvc.exe+95791|C:\Windows\system32\sppsvc.exe+5454f|C:\Windows\system32\sppsvc.exe+a1cdb|C:\Windows\system32\sppsvc.exe+b414a|C:\Windows\system32\sppsvc.exe+b443f|C:\Windows\system32\RPCRT4.dll+7a593|C:\Windows\system32\RPCRT4.dll+d9f41|C:\Windows\system32\RPCRT4.dll+62d4c|C:\Windows\system32\RPCRT4.dll+4a274|C:\Windows\system32\RPCRT4.dll+4918d|C:\Windows\system32\RPCRT4.dll+49a3b|C:\Windows\system32\RPCRT4.dll+310ac|C:\Windows\system32\RPCRT4.dll+3152c|C:\Windows\system32\RPCRT4.dll+1ae1c|C:\Windows\system32\RPCRT4.dll+1c67b|C:\Windows\system32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\SYSTEM32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.724{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.724{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.708{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.708{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.708{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.708{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\shsvcs.dll+11f99|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x101068C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\shsvcs.dll+11f27|c:\windows\system32\shsvcs.dll+11ba6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.692{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.426{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.426{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.364{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.364{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.361{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.361{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.361{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.361{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.197{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.197{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-194F-6154-9F00-00000000FE01}18124848C:\Windows\System32\calc.exe{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+dcb2e|C:\Windows\System32\shcore.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001518475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.134{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe10.0.14393.0 (rs1_release.160715-1616)Windows CalculatorMicrosoft® Windows® Operating SystemMicrosoft CorporationWIN32CALC.EXE"C:\Windows\System32\win32calc.exe" C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=B31A19BA38F110838119299B50517073,SHA256=D7B378A4BC4DEAE748462D216D14A20CCB1BAC1D3FFBC67711DB2CC1D8B182B7,IMPHASH=83A6FF176255FE0F3F902360860DA5F8{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exeC:\Windows\System32\calc.exe 10341000x80000000000000001518474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.072{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.072{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-194F-6154-9F00-00000000FE01}1812C:\Windows\System32\calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.072{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC5732ECD70B0CE4D8961FF0AD2DA8D4,SHA256=915D948217B69CB36D7DBA8579C0C733916B1FEEB5BDDCD84AECA8D0CD40D583,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.416{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55674- 354300x80000000000000001518470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:14.217{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001518469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.056{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001518468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.056{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001424369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D36EA14D2E363FD133ACE12E13677BB3,SHA256=852A98DBF94A2EBBA620C24FD45C1AA1AE6407E7B4D91C44FBEF53C429A3508F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D36EA14D2E363FD133ACE12E13677BB3,SHA256=852A98DBF94A2EBBA620C24FD45C1AA1AE6407E7B4D91C44FBEF53C429A3508F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4ADD6B0918A43BD4CB67C61894FD21F1,SHA256=5334B7111688FAA83D806B0E48451D416CC6FD56BD6EB7DEE5246B7FA8B14648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.550{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2de9e.TMPMD5=9F9C8A5C73233A36B2D0B6FC8398B0AE,SHA256=A542E57750AF0447D028C76F5C6C8095E32F1B94AB70642236F480599AB4E7C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.503{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2de6f.TMPMD5=72803A13343DC39D168F2D0F39F5BB64,SHA256=86AEA57F4F67ED2ED8F93C2B6CABE11C21BACCC70ED8FBD8474478BDC541C68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.457{69CF5F33-1899-6154-1100-00000000FE01}972NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF2de40.TMPMD5=6D4501B8672B9CDBBF1B80E08AAEAFC7,SHA256=7072D6E4AC6D733F46A5AAD1F25607B1BB98EA6064CA07227B58EE96403AF4FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AC2129A1890ACFFD8DF291E5EB687C15,SHA256=ABC346A79859BBC2BAB2BDA9084270BE13543CC2ACF386A4C17D62FA9F6A5D59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.175{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1950-6154-8D00-00000000FE01}3576C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.175{69CF5F33-1899-6154-1100-00000000FE01}9722596C:\Windows\system32\svchost.exe{69CF5F33-1950-6154-8D00-00000000FE01}3576C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.175{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.175{69CF5F33-1899-6154-0C00-00000000FE01}7323504C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:14.115{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49758-false10.0.1.12-8089- 23542300x80000000000000001424374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:17.863{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82DD371D508C21D9080D4F7EEA4684CB,SHA256=C9EB2D8C36F6CFAEB89C34C2C407020F92A1AD26C9CDE8D17D551CFC571C101E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.946{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.931{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.931{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.931{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.931{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.931{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.915{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.915{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+3dff|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 23542300x80000000000000001518598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.884{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E44E0DD10390CE8FAF2CE09AF85FD7E,SHA256=2A4EC2F44A33DB06F426F05E30218D659B35700A20298F36A2599965A5321992,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.853{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.853{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.837{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C50607E5E643CF043BE6D58B220B89D,SHA256=63B32CB684504BB5698472D188473DB634D31E131E112E687064BD91C96FCD6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.821{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.805{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.790{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001518580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.790{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7705|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+9a85|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001518579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001518574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.774{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 18141800x80000000000000001518567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:17.617{5EBD8912-1951-6154-A300-00000000FE01}5392\TDLN-5392-41C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe 17141700x80000000000000001518566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:44:17.617{5EBD8912-18B9-6154-2C00-00000000FE01}3064\TDLN-5392-41C:\Windows\system32\svchost.exe 10341000x80000000000000001518565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.617{5EBD8912-18B9-6154-2C00-00000000FE01}30643260C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.617{5EBD8912-18B9-6154-2C00-00000000FE01}30643260C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001518563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.617{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.601{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194E-6154-9800-00000000FE01}42644368C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194E-6154-9800-00000000FE01}42644368C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.586{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.570{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.570{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.554{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.539{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.539{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.539{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.241{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.241{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:17.225{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCountDWORD (0x00000001) 10341000x80000000000000001518524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.225{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.225{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+f997|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+3844|C:\Windows\SYSTEM32\psmserviceexthost.dll+1470c|C:\Windows\SYSTEM32\psmserviceexthost.dll+f933|C:\Windows\SYSTEM32\psmserviceexthost.dll+fa9b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1279f|C:\Windows\SYSTEM32\psmserviceexthost.dll+16992|C:\Windows\SYSTEM32\resourcepolicyserver.dll+15142|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11b0c|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b955|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 10341000x80000000000000001518519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+47ca8|C:\Windows\System32\modernexecserver.dll+47c41|C:\Windows\System32\modernexecserver.dll+19c8a|C:\Windows\System32\modernexecserver.dll+1f6f8|C:\Windows\SYSTEM32\twinapi.appcore.dll+32a67|C:\Windows\SYSTEM32\twinapi.appcore.dll+32870|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+47a1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.194{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=449BF1EF05E00643E8152630ABC57FAC,SHA256=B0725EDC3EBDE2A971724588FA552FB95D6D5E06D20DA8C6B8DC76F182243B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.284{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263752- 23542300x80000000000000001424373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:17.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FED07F12FA60EAB2D94E266461A1D7D,SHA256=258F866DD8F49DC58D20CEB41F6294185A08DF9BA7D2B1195570A745D9EB9E78,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.053{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.053{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:17.053{5EBD8912-194F-6154-A100-00000000FE01}4472ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Local\Microsoft\Windows\Notifications\WPNPRMRY.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:16.118{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49761-false20.73.194.208-443https 354300x80000000000000001424377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:15.874{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49760-false40.126.31.8-443https 23542300x80000000000000001424376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:18.878{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E2F68A003131C7DB9420C5EF27F0EB,SHA256=623B14B6032F60F3A1BB6BFDB7C6E90B7809F3F1EC16D7E9EF4170D2478F6643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.667{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.620{5EBD8912-18AC-6154-1200-00000000FE01}4521740C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.604{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.604{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.589{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.573{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.573{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.573{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.573{5EBD8912-194E-6154-9800-00000000FE01}42644368C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+72b5|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.573{5EBD8912-194E-6154-9800-00000000FE01}42644368C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+564d|C:\Windows\System32\twinui.appcore.dll+4d5e|C:\Windows\system32\activationmanager.dll+8469|C:\Windows\system32\activationmanager.dll+b6c7|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001518676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.557{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA68F2119952BDBC0C98B8769D502A17,SHA256=76E9DC454BE25225D4D5F5D799D91E3651A79BC3321D762E28D1830ED26BF16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001424375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:18.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=4A225E2EF4A10042A0F40FF2C8B37DBA,SHA256=7E1B32725AC35EADE013759A4E357C66B2619C88F427E4F85AE0735322C9E14D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001518672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194F-6154-A100-00000000FE01}44725320C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.510{5EBD8912-194F-6154-A100-00000000FE01}44725320C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+15bf06|C:\Windows\System32\TwinUI.dll+83087|C:\Windows\System32\TwinUI.dll+bb7be|C:\Windows\System32\TwinUI.dll+bb789|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.495{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.495{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.479{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.479{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.479{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.479{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.479{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.416{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.416{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5266|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+521d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+925b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+650d|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.385{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+47a7|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.369{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.354{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.354{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.354{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.354{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAA4AAC9E8A7DE108E3CB3CEACE6CED,SHA256=DCF3D150CC85585BE946807D26C55B86B2170FDE2DFCA67EA22121A9A61B754C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+18aac|C:\Windows\SYSTEM32\psmserviceexthost.dll+e47e|C:\Windows\SYSTEM32\psmserviceexthost.dll+e517|C:\Windows\SYSTEM32\psmserviceexthost.dll+e22a|C:\Windows\SYSTEM32\psmserviceexthost.dll+18e78|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6d1f|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+68be|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6966|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6ab5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+83c5|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b9c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7b3b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+8749|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+7ae6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.291{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+658c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64d9|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+64ad|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6e17|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae 10341000x80000000000000001518629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+892c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+6de2|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+770f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001518628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7a5e|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725488C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\SHCORE.dll+35576|C:\Windows\System32\SHCORE.dll+201ef|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001518623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.275{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+b7777|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+37c8f|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+34376|C:\Windows\System32\combase.dll+33b2a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001518617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.228{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.213{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001518615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.213{5EBD8912-194E-6154-9700-00000000FE01}5068864C:\Windows\System32\RuntimeBroker.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76e7a|C:\Windows\System32\combase.dll+6dc4d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b283|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001518614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.166{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=52B4A9AB504DEAF01B61A321B65BEE89,SHA256=C8B0CDA51A3C729D4AA11E46FBD3189F55C295C6C06C513043B4C3B2D156C16E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.134{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0AF01AA4282238B71F8CB2764738F24,SHA256=855FD7B8F198FCE53BD843CD5D4C88E3461C1C1C540A4199E5B35544775C67F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.119{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.119{5EBD8912-18A9-6154-0B00-00000000FE01}640764C:\Windows\system32\lsass.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:16.247{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-19728-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001518609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:15.548{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54263952- 10341000x80000000000000001518608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.072{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.072{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:19.972{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135BA00253F5CDD0DD02969B3284DCCE,SHA256=1B19D17496308C4FA85226BD591BD2A7E02D1E69C3414D7379E8D37DD3CDF9B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.905{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\ncbservice.dll+86ee|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.905{5EBD8912-18AC-6154-1300-00000000FE01}6921104C:\Windows\System32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\ncbservice.dll+86c0|c:\windows\system32\ncbservice.dll+6753|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001518747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:19.670{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000000) 13241300x80000000000000001518746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:19.670{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0002f9a8) 13241300x80000000000000001518745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:19.670{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b487-0x7cc12890) 13241300x80000000000000001518744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:19.670{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b505-0xc946ef69) 13241300x80000000000000001518743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:19.670{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b583-0x83c90769) 10341000x80000000000000001518742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.545{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.404{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\System32\TwinUI.dll+a9af6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18B9-6154-2C00-00000000FE01}30642472C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18B9-6154-2C00-00000000FE01}30642472C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 18141800x80000000000000001518730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-ConnectPipe2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}4472\TDLN-4472-41C:\Windows\Explorer.EXE 17141700x80000000000000001518729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:44:19.388{5EBD8912-18B9-6154-2C00-00000000FE01}3064\TDLN-4472-41C:\Windows\system32\svchost.exe 10341000x80000000000000001518728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18B9-6154-2C00-00000000FE01}30642472C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18B9-6154-2C00-00000000FE01}30642472C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001518726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725668C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001518719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725668C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001518718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725668C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+37bbe|C:\Windows\System32\wpncore.dll+232a3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001518717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-194F-6154-A100-00000000FE01}44725668C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\wpncore.dll+38f2d|C:\Windows\System32\wpncore.dll+38e70|C:\Windows\System32\wpncore.dll+23267|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001518716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.388{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.372{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.372{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.372{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.372{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.184{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B14D078ED03D2E6A5226C8A3561F249A,SHA256=AA9DC30BD6EC23301C9BC1A16BD7B4C30EF3520C97CA85D5CD9F62F967EF8000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:19.816{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4B4B0FF3260309F6ED28AF0662AA4A7,SHA256=EF6F3BBA0A0B3FB2EEB70F89B33E70A1FE9B1189AAC0D7204F781C30A026B8AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d4e3|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d7a9|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b6c18|C:\Windows\System32\TwinUI.dll+1a8f31|C:\Windows\System32\TwinUI.dll+b7ad9|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+b704c|C:\Windows\System32\TwinUI.dll+b6a5e|C:\Windows\System32\TwinUI.dll+b7abb|C:\Windows\System32\TwinUI.dll+b7a42|C:\Windows\System32\TwinUI.dll+ffcc7|C:\Windows\System32\TwinUI.dll+1005a7|C:\Windows\System32\TwinUI.dll+101417|C:\Windows\System32\TwinUI.dll+cecf4|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725272C:\Windows\Explorer.EXE{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f23cc|C:\Windows\System32\TwinUI.dll+b2d24|C:\Windows\System32\TwinUI.dll+aea6b|C:\Windows\System32\TwinUI.dll+cecda|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725764C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725764C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.122{5EBD8912-194F-6154-A100-00000000FE01}44725764C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.106{5EBD8912-194F-6154-A100-00000000FE01}44725764C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:20.973{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE616223396931D8A364E842C8AD9B3F,SHA256=782D8CA7ABF30200E03177AB63401215A8EAF652DE2F0118A645D88BA24386B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:20.548{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D7775EC7AD01C382BD04FECD110FE574,SHA256=9B9C67634E7E6664ABB9369C35F677AF25E9DC63089D34440A797CA4B15ABF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:20.328{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=641B2C8084F0FDADE86D0365CA197D82,SHA256=1BE710E6A621C5B139AA4E56E3E8BBA68FC763A06113ACE9BA64E15D9A6DDB68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:20.805{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-002MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.072{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54258477- 354300x80000000000000001518750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.072{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54257767- 10341000x80000000000000001518768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.954{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.954{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.876{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.876{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.845{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.829{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.829{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.829{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1955-6154-A500-00000000FE01}6040C:\Windows\System32\mobsync.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.526{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\explorer.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50031-false20.199.120.151-443https 354300x80000000000000001518759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.508{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57688- 354300x80000000000000001518758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.208{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50030-false20.190.159.132-443https 354300x80000000000000001518757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:19.181{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60724- 354300x80000000000000001518756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.720{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50029-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001518755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:18.628{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001518754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:21.343{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E6296D3B507B7CA6283959B4CD3616D,SHA256=906672881AD793C94532C827F2408249BD095B26086245C14C08341CECE92AF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:21.818{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:17.968{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-34611-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001518770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:22.848{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5159EE54CF849C36A89C8E92CF947FA2,SHA256=6F0AE0F70ECB554F35FC667364B619E9B8F655D3BFEA38B0ED7BF01B7B1A9D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:22.565{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC7E4ACFF9387F6B0C9740018533E6CE,SHA256=835256BEF29D82C16AF9BD3DD2F06B15E9BA23028133103B0B5EFD4B704D9D4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:22.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDA3F0ED8550596F3F7ACF7BD017ACA,SHA256=0F8D49773F1FCE23A9D38721D90DA297B79FB9583FFB3250C914851CFEBE87CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:23.725{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163BDBBB88373B4D4804D5B442B4E61E,SHA256=FA5E1760714B0F447CFE9D94A13118C30A491EED85238238458B8431384A8A1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:20.549{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-37646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:20.006{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49762-false10.0.1.12-8000- 23542300x80000000000000001424387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:23.241{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0D2B105F48967AA389EF85EE3580547,SHA256=B95331521EC444B4D9D571DFE8E156BD92DCB6F8A540B1402913B56FB18E2632,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:23.131{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C50C0A7456AE566954CD2C755AC517,SHA256=8AB1DABD6C3C739C8237824657CE3AB11498E119CA51EA098BCC689570649A53,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:20.814{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53847- 354300x80000000000000001518771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:20.814{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61104- 23542300x80000000000000001518778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:24.759{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10D7C338294C519FCF4E51BB7E2FB5C3,SHA256=D4CC9CD24C75AEC36561CC11AEBE02D423567156598DE3AF3AA52FF87B46C70D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:24.085{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:24.085{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:24.085{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:24.085{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001424390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:24.147{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0239D5D4C4956558851E754629F049F,SHA256=B6BEB0C891561F178853BDC1628F05C6A14B569FD45346ABB3261D32875E3D22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:25.762{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8EF4B025B019E897E58370B1719848,SHA256=2D5A378EB7F9CCD2D2BBE9719BB9F441723CEEF5A3E9982BF92CEBC49157CA98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:25.589{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33E3355E812A2C23F9C2DF1BC431AF8C,SHA256=6CDDFFE3E25A77A3644C6256F25B03AAE1A0BB7C7C7801F22FF5DAC8E1ECF62E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:23.418{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-40710-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:25.178{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01E0C6F7A50120D983E68C72C08C8094,SHA256=7B553C19E3AFF09EE4156D894A9DC145D4DD8B96C2AE310BC0E01A7481414766,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:23.747{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50032-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001518779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:23.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001518782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:26.765{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52340518AB5EAD27D34ED8B146247F29,SHA256=DE3197E7964C907D164C91BE9A9285683CD7B1EB700098264D198BB1E4064F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:26.194{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83BD4B708F1570851A031001A33A1509,SHA256=CC129C42BBB96CA22A3879BC2AF6D9FF6BA7243A907C507BA1117F7ECCC9C8A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.768{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135DDC88FD7E33AB741EF93F3BBBE0DE,SHA256=27D22F26E41168D99F59F2E96A81E1DA197ABE000D52125CB617D7433A2AD20A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:27.210{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE7A4D250655FC97BE230281F0E772D,SHA256=208E19E8A6F317A3DF9583F458FD38E5D697DCF5628F5C103FFBDAB5958C236A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.204{5EBD8912-18B9-6154-2C00-00000000FE01}30643260C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001518787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.204{5EBD8912-18B9-6154-2C00-00000000FE01}30643260C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26f12|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001518786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.188{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.188{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.188{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:27.188{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:28.770{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC58F643EBBC2501B7C25F3DA0D18D04,SHA256=C8D7D73AC6A86EB0DCE00C72CA732988DE8D1E0BF2950DDC33589EA97027B08C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:26.179{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-45149-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:26.024{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49763-false10.0.1.12-8000- 10341000x80000000000000001424409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-195C-6154-8E00-00000000FE01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-195C-6154-8E00-00000000FE01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.538{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-195C-6154-8E00-00000000FE01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.539{69CF5F33-195C-6154-8E00-00000000FE01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:28.225{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4589D6F380B284DC93606365EFD5048C,SHA256=6612812275FEF8F8A61BF12BA5F4D03879639C1BFDF7B1DBB9E32D47F3F396F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.930{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EFB4A73B6BB31BDDAC111EEB9F7E7D,SHA256=1DBE1635B1C873874A1A56D9A1085326EEA3996B2A10D00DC0B8BB5ABB3F19F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.725{69CF5F33-195D-6154-8F00-00000000FE01}31842264C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.553{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FDBF157011328B95A2C5581D4CB6A9F,SHA256=FA722C109303C1BABAB9BE31BC314D1B4350D1C5CFA7EEDC3227EF47DB357C38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-195D-6154-8F00-00000000FE01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-195D-6154-8F00-00000000FE01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.538{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-195D-6154-8F00-00000000FE01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.539{69CF5F33-195D-6154-8F00-00000000FE01}3184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:29.257{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8D52E1589C72D18985422D2FA0A418,SHA256=D323E97C410E634112F4F7C56DB92442FEA4E5AE519D8EA393C647A52A37C4D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.397{5EBD8912-195D-6154-A700-00000000FE01}55365568C:\Windows\system32\conhost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.382{5EBD8912-195D-6154-A600-00000000FE01}54925500C:\Windows\system32\cmd.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.391{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXEC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" " 10341000x80000000000000001518814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.350{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.350{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.350{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.335{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.335{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725868C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725868C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725868C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725868C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.319{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.303{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.303{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.303{5EBD8912-195D-6154-A700-00000000FE01}55365568C:\Windows\system32\conhost.exe{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-195D-6154-A700-00000000FE01}5536C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.272{5EBD8912-194F-6154-A100-00000000FE01}44725896C:\Windows\Explorer.EXE{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\Explorer.EXE+91a26|C:\Windows\Explorer.EXE+11a0b|C:\Windows\Explorer.EXE+1187e|C:\Windows\Explorer.EXE+f7c2|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 154100x80000000000000001518791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:29.277{5EBD8912-195D-6154-A600-00000000FE01}5492C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RunWallpaperSetup.cmd" "C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 11241100x80000000000000001518828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.950{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tfrc5ixv.otq.ps12021-09-29 07:44:30.950 10341000x80000000000000001518827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.870{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:28.763{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50033-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001518825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.416{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0974DDFB620A3F8BB7BEC02719EC5D,SHA256=D33AFBF0D891E93F3EEE83D64733FAFB0329CF1621C054A9E8E08AF87629C87D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.401{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22D48DB67EBF3FCEF3C8044D90055CF6,SHA256=91662216C6CFAEC04775EE313CA5DA0F79590ADF6A49B4F932A4521DC9B8ACAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-195E-6154-9000-00000000FE01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-195E-6154-9000-00000000FE01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.304{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-195E-6154-9000-00000000FE01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.306{69CF5F33-195E-6154-9000-00000000FE01}2636C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.272{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB253BD1B28CF2078946BC2EE39EE93,SHA256=C733ED579B09452192FCF124D331355E6AAD0D451A112FA325DE7B296F8694E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:30.244{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-49701-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:31.413{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC3146E13E9516C2D1731A903763ED5E,SHA256=FFD58D88F36E22B556C1B110B1703803B87871A9D0B0CDB8DB420DC7BC3A0450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:31.288{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DC87351B6C6D94865832FABD46D04B,SHA256=7B8005186765F2B031EACD6332D42E7718B60192EEDF5C9448AF2B61FFD1181A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.638{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F0974DDFB620A3F8BB7BEC02719EC5D,SHA256=D33AFBF0D891E93F3EEE83D64733FAFB0329CF1621C054A9E8E08AF87629C87D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.528{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.528{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.434{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.434{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001518833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:44:31.356{5EBD8912-195D-6154-A800-00000000FE01}5700\PSHost.132773750693911038.5700.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001518832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.309{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_xrzwj2qv.tio.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.293{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_tfrc5ixv.otq.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.074{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A887F1CAB6C5DA4A97640F076C987865,SHA256=513C00C4EF2F935AC2BC824FC98053566DF5B4198300557787B846D9C36209E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.995{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E4DEED77A73F1F4F137C0A4BEBAF7B,SHA256=E2AB916E168ACB009B7C26F43BB4958481C51A162882DEB2C8A72964F20A6826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.969{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9527A11688EBDC8126B035736A3E0D50,SHA256=052D5994AD5DB245DE8C66D1DCABB827AE98BD180F1CE8642FF18D3F4E6A5353,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.907{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=36308A4EFDDBB88590B83D868A36E0D9,SHA256=D476F6137E31345873F73B30C8488BFB106F9AFD4AD28B7EE5BF4FB8BE682EF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.907{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6796566B43F2BC26F5A2DC755446B7ED,SHA256=ECA65F183147598B066131D7F9E83A3D811588BF3AC9C63DA8FBC85ACC79BA67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.844{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9D96311F6E27C287057352D6956D38CB,SHA256=E79306CC0268C035B368775E51FE6FF0875E8BDD6471B7BA1433C46E5AE94AE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.797{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AE23DC9EF413852F621CEC31AFD2A463,SHA256=BC8D33A454C75DD6FC29293D41FC7B2E3E6B25718B92F7FB2267D7401BAD92EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.750{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E3426B4ACBEF2C7ECE530C7E2B35DA1B,SHA256=D65E8694F7B9B302595041D65AF69B2B4F6E2E3335BDA9605B1922867ACF852B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.703{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B5B84791E63C1DC2605860CD074BCCB9,SHA256=4C4E9E284E28A660D529F6E3C34FF4D49D43B318FC53C5285BE1EAB07389A941,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.656{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2FC3A273C329F29614F92EAE09F94A8C,SHA256=9405C3AC63DC2E47BC1834924132447D0BF59AB3B963FB1A603B0949F36AAC3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.609{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=1C5968E3DC7C73D9B2B2426199C2D7B6,SHA256=A7A7EDF00CF6D80985D43CC68C82600808BFD406684B85AD43ABCC2E7559917E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.562{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=358CFA5A30496F9363DD8F6A7B8173DD,SHA256=9452F62CB79EC0D26301330A008C582C4D15E433667E4A9DE0F284388AA1C9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.515{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E284DBDCC1B0621937E50A5EDD5035A2,SHA256=A421C57AFAE9F0E933C17ADA2C86F3ED1A834976F586C21B9BF1E79948DDFE4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.468{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=811D64EE5E6F6CC657064EF3B2FC0B66,SHA256=068DF1075604BCA749E351881520499CB7D205ABA238086C9D0AA63F55642A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.421{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=140BED2EB797DAD57B588DAD9AB8D2C2,SHA256=745BCAE90657E56FE7DB924292F6F6E5496673BD8F49F83F810AFADC4C55EECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.374{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC8BC2733AC22F55ED7BF5A4745B0562,SHA256=C80765D85050568D443ED65364D5FCEB35CD9C6E96221BB67E921F634D403214,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.343{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A6D4ADEACEA598AA9D66024D168FA03D,SHA256=CF27A5CBFAABC032831A01CEEDC90F690B9AFA3181F3858F99CFAE63325725AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.311{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=693135F8C2682A03657E4C236D7BB866,SHA256=DDCC713300FEF4AE48E45CBF43C055380F1FDC2DBC3C51E7D132A1BD484A8337,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.249{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BB1354E35BE07B22E78037C8F008FD2C,SHA256=6302CB1C917E7C9C840064C49A88B34A0F4F04B63AE0E46E2B25D19B0E624998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.202{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=37FE7B0DAF1CD470A4359A901D5A9AD3,SHA256=B477E10ECBF1526B2A3FF68733C6D1F3F318E0B196BA2DB583D4CBF9944EFF73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.154{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=85005E89DDF5262AD7E5F0DE9956629A,SHA256=603D3D72CE1D75A472ABD198B3BA8E80BEEDDF66FF2E5BDBB6A6CAFDA25C4352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:32.014{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FC71408B160EAE6D336FA80F91B6479,SHA256=F5D059121F3A5314888DCD6696E7AF9C4CEC24D891C05B6EC669EA01B0574AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:32.366{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C026C2755743BE1E303D1F170C8AABF2,SHA256=064078451A6C56B63E86191BC8A176D67F5CA4E4CCCC924B780B9307DE7255B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E7B20C1BD4EAB2128BFF652340C16C73,SHA256=6160CA2837FF80D5991286AF2F560099ACEAF169E851642F3B14342B7784A5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.894{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E351021B0C46603E0424E4EE5C5AEA0,SHA256=271783B34B50AECE81F5BEEC296F3BF9D06C0EFB510FFA4206427B38220FCEA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.799{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=032D254C9DE7AE1F9F9592C2FEA48B21,SHA256=605005FED9B1CA3BFD2663C66725827DF8B020F0F200C04C147468D8849FA0FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=AFB9EFAF5D1567F1A87FF40B3D2F3050,SHA256=A1C8D942E1AC2AFE79721D4A72E2BC0FE84000EA1A6DEE6D76218E3C58688803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.722{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=87551BD08642B70070A41D09C2717A65,SHA256=31D9A10F51938D8E11EEE2C330FE7AD096178336E41AFF6556EE07A0039F8D23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-194E-6154-9800-00000000FE01}42645808C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001518879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.675{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.644{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=0A59310DACB16813AB59871CBBA5CA57,SHA256=690376F8CC9F7E7C38498BF0D90DB8F250D0C124D8308FCE9888EE44C27E36B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:31.189{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50034-false93.184.220.29-80http 354300x80000000000000001518876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:30.340{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001518875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.564{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1961-6154-A900-00000000FE01}1100C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.564{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1961-6154-A900-00000000FE01}1100C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.564{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.564{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.549{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9B923352906B6EBED4C76F3A8D8149D9,SHA256=CE761ED03306098A029A8B10AD26E80F2518B45B7DA8CC61256D12B187F7F0B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.502{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A686C1F4AC25CF0DC8D66B5834C48C7,SHA256=F9534AC0A25BB154108153939A117456076A21F1E99618425490F8ACA562464D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.470{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D05CCF447EA9F612B6B1F4134DBAE4B9,SHA256=AD00995DDD5D8D3C0732E58713AA31CA7C8EECCA0A018F7D726F993855180A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=875FBCBACEBE830078F95F8A96E33933,SHA256=185ADFF263B9F185714FEF2D1EC7982FD4BA5E2B7D07DFF984444EB8BC08217D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=52C317E25ABB6403C073363D673BB4D0,SHA256=2D36D5FACF9EDDBEF26251412F2C8FB883FEA45E79AE7C2C49FA0679503870C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.330{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5BF45F9852B1154F7E376C2806424572,SHA256=5D23CE8D7F825ADF90820787765AA94E24CF43DF81A12F916BCE71801B614BFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=515F134D0BF909BFFD2DB7A5D207F20E,SHA256=78812E4A7C57CA36AA53FA67807D8E8C79D5788A0942FDB9B2E58BE38FEAE49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.204{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F5497549375EE095971D840522B4BA4E,SHA256=430436F040B674CD6A1BF9E1FFEC44A01C922F719A1E147E27C60522CCD861D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.157{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=39A8948D6B6983B0653061FCC0DF5C08,SHA256=997D6012A18D8ED261C0DDC5928608BD454FC6F28CB571FEF233CBB28E8654A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.111{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=71E34396747E18178B6A5E12862A605F,SHA256=4314A4876055E5F527FBAB19B96CC8B5DE1FCE5B81CF3B6F83EB6FDF23A8B2C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.063{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=F418B24E3D9125965C7F884C0C38AFB2,SHA256=A63FE5905A8F9756EC9171619567D474BA235B3F552BE883FC81A7733F23FFE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.032{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E11834DDD323BC2E0C318BB79801D8E0,SHA256=00AEE7F198F530E744BFD7BAE02584DF1DBBBC6B8B3A863BE7C96D6C2587D3E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:32.076{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:32.024{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49764-false10.0.1.12-8000- 23542300x80000000000000001424448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:33.694{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C22A4098EF6935E8B1FEBFE7C32C98E,SHA256=E3904B54F54ADE4B87946FE98961A23BC14CC475ECBAE55A75EFB971548B1CCC,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:44:33.569{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xd8190492) 23542300x80000000000000001424446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:33.413{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70FDC0B88EA06F591207E463394C7281,SHA256=7DE93DCC46331A02B401503421A41584E609D8FFF3950E38761353A0E88B08B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:33.001{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=15F73AEA3D461C17793CC725C4BB6921,SHA256=BA1FB52AB52D130C8947CE447E0A60E874F67B1D5E7E549E36CC1E715DF437EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.630{5EBD8912-194E-6154-9800-00000000FE01}42644484C:\Windows\system32\sihost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+386f0|C:\Windows\System32\modernexecserver.dll+2ff00|C:\Windows\System32\modernexecserver.dll+1e81d|C:\Windows\System32\modernexecserver.dll+1e514|C:\Windows\System32\modernexecserver.dll+49142|C:\Windows\System32\modernexecserver.dll+14a47|C:\Windows\SYSTEM32\ntdll.dll+3a940|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.614{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.cmdlineMD5=8554EC2D0FED51420319EB556C07747F,SHA256=C372BECB6E83A2ACFEC5012F0CC35A2E5A8F2DB82486957D17D916D225C2EC52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.614{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.0.csMD5=D9ACA9FFA16C22410A16DE5D5571469D,SHA256=74E86BCD8E601DAC165642F69B571B651867BE0251D7B3D9498D1F080E4D8391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.614{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.dllMD5=9DC4EAB153A4D5177BB8E37AA46371CA,SHA256=FB1C16C456F26F16FFD120631198F00E068780C85C08CF6F77F5BA79123CBD6E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtruetrue 23542300x80000000000000001518919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.614{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.outMD5=E77C5577B9430D88CD4AE20B9A50A8E4,SHA256=5F75F89EFA76202C959FEA2C06D96CBC34738588522825D52A60989588128F18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.583{5EBD8912-1962-6154-AA00-00000000FE01}6000ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\CSC54620711685E472482298881B45A7A9.TMPMD5=861A1F32CDD694D221CF8DF5EA735E58,SHA256=9E49DF63CC8C4D34D0268A4073310D376D2DDAC19E52245E472DEFD2AA0066F3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001518917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-29 07:44:34.520{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.dll2021-09-29 07:44:34.097 23542300x80000000000000001518916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.520{5EBD8912-1962-6154-AA00-00000000FE01}6000ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.dllMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.520{5EBD8912-1962-6154-AA00-00000000FE01}6000ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3336.tmpMD5=C34EF5D098A55C968263175715AD2103,SHA256=93A36367308645614D3F050876E400A2D1206735D1E462A35117924E1639A1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.473{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=9DBA78CB980F917066EC1C7EA38ABCD5,SHA256=C4EE44E851CA4DCC40E2CDF5A9D38FDEF5A074FFB2FDF2A8DB77258EF38A51AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.473{5EBD8912-1962-6154-AB00-00000000FE01}6028ATTACKRANGE\AdministratorC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exeC:\Users\ADMINI~1\AppData\Local\Temp\RES3336.tmpMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-195D-6154-A700-00000000FE01}55365568C:\Windows\system32\conhost.exe{5EBD8912-1962-6154-AB00-00000000FE01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-1962-6154-AB00-00000000FE01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.457{5EBD8912-1962-6154-AA00-00000000FE01}60001412C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe{5EBD8912-1962-6154-AB00-00000000FE01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+b46d|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3db4|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+3f2c|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+4002|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+27b2|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2804|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorpehost.dll+2948|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+7fe06|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+4726f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45e1f|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45b16|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+45826|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1938a|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+18bf6|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+a831|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe+1f0a49|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001518905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.461{5EBD8912-1962-6154-AB00-00000000FE01}6028C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe14.10.25028.0 built by: VCTOOLSD15RTMMicrosoft® Resource File To COFF Object Conversion UtilityMicrosoft® .NET FrameworkMicrosoft CorporationCVTRES.EXEC:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\ADMINI~1\AppData\Local\Temp\RES3336.tmp" "c:\Users\Administrator\AppData\Local\Temp\tvnnoin3\CSC54620711685E472482298881B45A7A9.TMP"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=C877CBB966EA5939AA2A17B6A5160950,SHA256=1FE531EAC592B480AA4BD16052B909C3431434F17E7AE163D248355558CE43A6,IMPHASH=55D76ADE7FFEA0F41FF2B55505C2B362{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.cmdline" 23542300x80000000000000001518904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1A16F5F5613D7E189D266A9D5E039C8,SHA256=F30243373174579198A4E2609588174DA8742E13C30FA0C301BB70EFD4F77A6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.144{5EBD8912-195D-6154-A700-00000000FE01}55365568C:\Windows\system32\conhost.exe{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.144{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.129{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.129{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001518899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.129{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.129{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.129{5EBD8912-195D-6154-A800-00000000FE01}57003896C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+384146|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be405|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2be05f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb80|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bdb08|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+2bc1c3|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d8e81|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\2a6ccbaba5690e5b3fec3bf707022bdb\System.ni.dll+7d828a|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffe020(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P521220ea#\3143b7407cd40db6cd5387f74bfeadef\Microsoft.PowerShell.Commands.Utility.ni.dll+ffffe020(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62abe310|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a982d2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a97f0d|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+6356023b|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a54e7f|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62ab88f1|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a9a900|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a9a900|C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Manaa57fc8cc#\0784610d68cd6b36e46150702bf69c35\System.Management.Automation.ni.dll+62a9aa80|C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll+58e06 154100x80000000000000001518896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.107{5EBD8912-1962-6154-AA00-00000000FE01}6000C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe4.8.3761.0 built by: NET48REL1Visual C# Command Line CompilerMicrosoft® .NET FrameworkMicrosoft Corporationcsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.cmdline"C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=23EE3D381CFE3B9F6229483E2CE2F9E1,SHA256=4240A12E0B246C9D69AF1F697488FE7DA1B497DF20F4A6F95135B4D5FE180A57,IMPHASH=EE1E569AD02AA1F7AECA80AC0601D80D{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive -NoLogo -WindowStyle hidden -ExecutionPolicy Unrestricted "Import-Module "C:\ProgramData\Amazon\EC2-Windows\Launch\Module\Ec2Launch.psd1"; Set-Wallpaper" 11241100x80000000000000001518895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.097{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.cmdline2021-09-29 07:44:34.097 11241100x80000000000000001518894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localDLL2021-09-29 07:44:34.097{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\tvnnoin3\tvnnoin3.dll2021-09-29 07:44:34.097 23542300x80000000000000001424451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:34.476{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A85A439E8082A3D259FB744FCA20D09E,SHA256=CF44377C3C8E52E672413E6BAF613D4CE6CCBD2E103B7DEEE397D0BCB6496FBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.961{5EBD8912-194F-6154-A100-00000000FE01}4472ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaperMD5=9F66C7A92669117D84AD0084B52D110D,SHA256=9F862D22987EEB12906CB8A85857828C5684B3BD1497D0FBB0F2B6ADA86A6EF6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001518932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:35.946{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\LastUpdatedDWORD (0xffffffff) 13241300x80000000000000001518931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:35.946{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\WallpaperC:\Users\Administrator\AppData\Local\Ec2Wallpaper_Info.jpg 10341000x80000000000000001518930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.899{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=38357146812275D90D01DE8AFDA04824,SHA256=88B08D4A6BCC8ABE4D61322F0F3E67A37839AEE1B45DE9394B943B8E7ED88CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.726{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E76AC7C657DD37C23362A4CB3BB04AE8,SHA256=842FAA9AE5C9B3C657806A4E187A75A05AC2EAFD09CE9999D8D574F788BB801A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F201412CD0688ED867830C9A39471583,SHA256=02749F7F58A1CF77FDC114862EF904700F32A1CCCDD23483CE4ED309287E6472,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=16140ABBC2ED347D288D37886EB0B3A0,SHA256=B3CC8D5EFF2E5837A0164E332D41B006E09323E301097433E70478524859A431,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.585{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:35.585{5EBD8912-18AC-6154-1200-00000000FE01}4521760C:\Windows\system32\svchost.exe{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001424452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:35.492{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A801532DF04A588AD39A10D78808DA54,SHA256=3F066ABB86BDDC2A3B4A345583AC320E65F365A00D617DA780469DB5B2507F5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.624{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50040-false169.254.169.254-80http 354300x80000000000000001518953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.593{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50039-false169.254.169.254-80http 354300x80000000000000001518952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.562{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50038-false169.254.169.254-80http 354300x80000000000000001518951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.535{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50037-false169.254.169.254-80http 354300x80000000000000001518950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.486{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50036-false169.254.169.254-80http 354300x80000000000000001518949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.433{5EBD8912-195D-6154-A800-00000000FE01}5700C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-429.attackrange.local50035-false169.254.169.254-80http 354300x80000000000000001518948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.009{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41035-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001518947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.854{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5CE52CA8C45EC021CF3C4100AB09D817,SHA256=FFFEAEB28A68E658487A3ECD4C1D7F872F92A44E03316BF76ECA5CC2A45B0DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.854{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9059F28238125DCC0FD76434D62ECDD4,SHA256=D4D4AD04A3F7A67809B9CC4F512BC2AD5999AE4F3009F11882126C9A26079928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.682{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358F2C3FC34FD68320B2F930B0BF96D7,SHA256=36DB92C77D48900E71E55F84D8D97F20CBC887681B1950BF9C42C2618C3A74C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.510{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4F8FB6089ED1F82760C4DF452BB95C5E,SHA256=FD8BF3060F1AB1FFCE72ECAE579E9C6CBAAFD92D9FE232007ECAB1AE3950802E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725456C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.243{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1950-6154-A200-00000000FE01}5188C:\Windows\System32\win32calc.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.212{5EBD8912-195D-6154-A800-00000000FE01}5700ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:36.071{5EBD8912-194F-6154-A100-00000000FE01}4472ATTACKRANGE\AdministratorC:\Windows\Explorer.EXEC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1920_1080_POS4.jpgMD5=CE188002F2174FC802614D9546436AEE,SHA256=23F2F4038EF682DDCB2117F26C8FBA93055B9796ADDCEA0007CD5D7FEDF5BFA3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001518934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:44:36.040{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\Control Panel\Desktop\TranscodedImageCacheBinary Data 354300x80000000000000001424456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:34.117{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56178-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:36.523{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDA15C8D05AEB61E71DEA1F47E5C999,SHA256=77EB6758840040533AFA9CBA1DD21032C2E34D96D8B4EA5AE8227DAD794871D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:36.367{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C9814795BC4DF9A98F5FF05FAC5F00B6,SHA256=46868CB616F5368CFB794DBA4A142AC2338A6E4819C699EDE4EBB40131064402,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:36.320{69CF5F33-18E3-6154-7200-00000000FE01}34563408C:\Windows\servicing\TrustedInstaller.exe{69CF5F33-18E3-6154-7300-00000000FE01}2336C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4650_none_7eeb34dc2202872c\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+53278|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:34.767{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50041-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001518956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:37.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=045ECBFC811E560753ED8A180E649A4B,SHA256=D55958C05E653A92FAF2DEACC10E1F75DCCAE35804F717966C2E11A8EDC6858E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:37.539{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E341D5A7AF78019DC9945E292E4F1A70,SHA256=62AD17ED89C4A251258B21207B4C1C596793B713503828C650B57D15D0DC4617,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:37.512{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44A5BA1530540DE240066412F34C426E,SHA256=425B68452C6B030272F4A8469ABC5BAC49B514B70782A55480B5E157FD6D1257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:37.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6F0CDD299C2D78B003E13F938B657F63,SHA256=B4E0286FFD6DB7B386300616C021BB09CD32B44892C925433CF78C1E7E944D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:37.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=152A8C8028F586B553A445BBC5991AEB,SHA256=BB882FE4F3F56DE8422D021EDFA4DF92C661F0C56CB0068FAC442D9D12086B40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:38.765{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE9BC5B2E58BA8E89B70F0763A4DDDD5,SHA256=533C1DA2DE291EBA095E6038F6989FFE105A4D1C6BF651E5819801F293BDDEC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:36.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59761-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:38.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46F74F007BC721FF00D5A2B43B4D14EE,SHA256=CB62D8DD069EF6971028C149271DB7B027A69C8F233AE1C05C8720BDCD1EC911,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:37.083{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.54.13static.13.54.203.116.clients.your-server.de62455-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001518959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:39.768{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74AA92A1F82E79B49E0373207B0016A,SHA256=FDB141B79D1EB4A533CEE8BB660D106E0E53FE280868137CAC548DC7D26EDAF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:39.586{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=086FB26C0C20FD1C45B351A6CC6931E0,SHA256=D69507277531FB11907DA6012DEB821665F57F3A779DAB036F78594FEE3079D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:37.499{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-45345-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001518962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:40.802{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E4160247966CD80F781F40BA28253C,SHA256=21C9C0DC45631218D37E01DD4F8FE68D384505FB9FBE5C81C0F96EAAF114941E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:40.633{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3983EAF797F9CA9312B68FD921E6FCC,SHA256=25916CA4ED050B08C61053403D1E7AD2CE951C64D82280DD7A17C653C33DC67C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:40.112{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FCF7B1A695A4C5B8783B7065676A7A1,SHA256=04C507FB9422F73B94893BA820678919C46A0DCD19B6D8339880A24CA6B4F84B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:38.009{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49765-false10.0.1.12-8000- 23542300x80000000000000001518964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:41.861{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4914AF61826CAD08D115266D8DAC85F,SHA256=43020EEA3D128D2FA5CC948DCF6D9429146E35E625F4CDFE9C04C66EEA90F16C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:41.649{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C2033DD360AE9B49E1DCB9DA2CEDD,SHA256=AA4455674386C3A5DEF028B3BE108B850EE6D3873D9ED96EA58A24816A93C5DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:42.942{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22776DEF427ACD582E8B2D77465CC87,SHA256=690A1A2BF30F8BF67EBA8FD3E5A98B7CB4E7A74191475940AC0EC5918286978E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:42.881{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABA9D6D5FB62AFDABD2B84822465536,SHA256=358F16B5767214D14ECA7262F38C91408937915DD0699AD1F0C42AD3C578847A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:42.664{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B68EBFB7525AE0610A5CD3ACADE35D,SHA256=00A46EB9C2C66DBED5B790BCC4A7A75E86665CB11E4E9B56AF5DD966DF6AF691,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:39.962{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48836-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001518965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:39.373{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50756- 23542300x80000000000000001424467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:42.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37AE8745EA6345A378A9E95269DC2FC,SHA256=64D6E631EBB4449A11C1FE94577A32A8D12328F09A933B7CB40C28B459314BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:42.414{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE5BBCC457E2428792CC74484E0E4612,SHA256=A4DC22F14085042F5C8D5DCD47B01F293262AA9472F4B973912068EF88801CE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:43.898{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD31781B4B113E603D560D4BE0E7EB07,SHA256=880AB914A5C4ADCD995A5415D349EE24AD8374EEA48CBE4F1ED5CF2D70D3F666,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-196B-6154-9100-00000000FE01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-196B-6154-9100-00000000FE01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.930{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-196B-6154-9100-00000000FE01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.931{69CF5F33-196B-6154-9100-00000000FE01}4092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.711{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB81E61370C8759B04B7E565FD851EC,SHA256=10C0A183B59A533639BF3C2B61A1BFF7B7984E07A1055012717F9F943CD0E7D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:40.638{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50042-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001518972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:44.916{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24AC773C5384CD834CC415FED672DF0F,SHA256=45219E7E03889DEB822F34BFEFB1898A6C6D06F59A1BA95F0F499397145E9A59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.758{69CF5F33-196C-6154-9200-00000000FE01}16803416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:44.164{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-196C-6154-9200-00000000FE01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-196C-6154-9200-00000000FE01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.602{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-196C-6154-9200-00000000FE01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.603{69CF5F33-196C-6154-9200-00000000FE01}1680C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001424483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:44.118{69CF5F33-196B-6154-9100-00000000FE01}40924088C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001518973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:45.934{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6430E97709CBA329A15A432BA50AF2FA,SHA256=FD9E25804BB45390C9FA3EF3FC0C0F2CFBBA7006BA9F3B8C3D6A3F3F3B52C0B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-196D-6154-9400-00000000FE01}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-196D-6154-9400-00000000FE01}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.946{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-196D-6154-9400-00000000FE01}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.947{69CF5F33-196D-6154-9400-00000000FE01}3944C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.837{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A2201CA50A7E532C5CC2DD73C5FA71,SHA256=F0EC52D162752DD090651328F8A4122B6854A9204D5FDFCA625616FD8BB53EC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.430{69CF5F33-196D-6154-9300-00000000FE01}33963200C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-196D-6154-9300-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-196D-6154-9300-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.274{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-196D-6154-9300-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.275{69CF5F33-196D-6154-9300-00000000FE01}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.071{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6DD830FE2F9EDFB8C902BD79050A5A,SHA256=DE4EDC90B68A355BDF80244080F1ACC6B9E4FF5171AF20CD65121781C516FC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.071{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E37AE8745EA6345A378A9E95269DC2FC,SHA256=64D6E631EBB4449A11C1FE94577A32A8D12328F09A933B7CB40C28B459314BD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.936{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88B9F51029F061ADD9C6E1AD34C8A7F,SHA256=DFBBC6A0ECBC24AE4F5ADC948C09D5FCFF09D5AE314DC5438B179310B301DF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:46.915{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E613C86ADF1DD15A3945224A2A643A6,SHA256=EE942641474BB7BDF29AA389890215E005CBF9F526EC92F940A8CB321E2DB965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2549DE61460F8779A75E2A11CAD022E,SHA256=20A629EEDE7387264A99411A9535460C46C3B7BEB7538D4F47692EA224A11C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=B2549DE61460F8779A75E2A11CAD022E,SHA256=20A629EEDE7387264A99411A9535460C46C3B7BEB7538D4F47692EA224A11C2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.873{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=3926D0012A74C925A27CEBB1EFCBDED2,SHA256=5494852D1C23D144972B0891736E62F6D50F6284FC1608C4C4D7818F9854993A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001518977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.842{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24cca|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001518976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:46.842{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1933-6154-8600-00000000FE01}4948C:\Windows\system32\sppsvc.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001518975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:43.665{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50043-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001518974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:43.426{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-52759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001424530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:46.306{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C392B4D84ECCBD3520B87F794287ADDE,SHA256=07A4DE1EEBA92B124C3F2AE7B1F8A437B32A5B290C1F990444B5BDBE52345A76,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.977{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49766-false10.0.1.12-8000- 354300x80000000000000001424528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:43.303{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-8972-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001518986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.985{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12405EA8DE3D76BEFB86A5C115E79551,SHA256=EC7504FE8E6F5F605C7E750702AB763F842717CF7F1E97C41B593551AD1534C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.985{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3865175B5142882BEFF9511689C97A55,SHA256=A88A78F17522579FE548C3E514CFB127B73711057A7BCFC8F9D2E57697E96BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.938{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D7B672325FD9D5DDCA715368C1FFEC4,SHA256=C7805F383A575E0CB6B0E400C4F8444B111830470FAC62188AEDCD1DEE3E1735,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:47.931{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=642858A869EEE2307C4EC4D0FDE5BB44,SHA256=EB3AA425D64259E25BA25D548C3DF4CA6F871AC2C823AF63753D5BE33A55C2E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.907{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58818532F5F98E9ACB87BB3E5747B528,SHA256=ABE18DFC75A4316FCD88EE5785BE4D10DB11B267C51BEFA94A39B5A58BA073D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.907{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=5CE52CA8C45EC021CF3C4100AB09D817,SHA256=FFFEAEB28A68E658487A3ECD4C1D7F872F92A44E03316BF76ECA5CC2A45B0DDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:47.431{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27BA970D2D980D85ACA1B354ACF4FF49,SHA256=9861845D9E3AFFBF774D51190C37E7F3B3F6CC76C981B58C23A12E0CA85CBC97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.056{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30242-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:45.017{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001518988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:48.941{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684EA8403676FBE959592661D01C2555,SHA256=6818CF19854E00CFC35D54C3939E579BB0DD54540718BA5EB351F3851B45577F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:48.978{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=767C1E32B9B84C075CC379570650E81F,SHA256=9C26FB52C8E26EBF0D9AED8900E1B7C15E2D2C59521006AD11151E3AA830B30A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:45.727{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50044-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001424537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:48.603{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD433FC5ACD4DCDD64AF7E63569372CF,SHA256=5E6DB0AAB805AFF688866CA3F1A5E85B29CD82A5C5196B23E2463646B0BEB89E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:46.170{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36164-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001518990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:49.943{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C5769D6BB89B59EFA0C5567CAAA1258,SHA256=F2B9E4DDF0F7B6B1901705B7E0164F8E5F5E27361074FE07E1676778D05C21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:49.786{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12405EA8DE3D76BEFB86A5C115E79551,SHA256=EC7504FE8E6F5F605C7E750702AB763F842717CF7F1E97C41B593551AD1534C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:49.712{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73AB71F5F9CF48AAD0181F8C5E131F3B,SHA256=EA258AEFD338530CFB41B4B19765CF508FF9B00F6CEE5407558A01FD23726580,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:44:49.572{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xe1a2c1d3) 354300x80000000000000001424539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:47.263{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41702-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001518992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:50.948{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F86AFDF77C738F05862EF44AE4864B3,SHA256=013F9B57F24E3910C6449B07C1602F37A74FC510A5FF093E35AFD25E894A1BFF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:47.860{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-58087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001424546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:50.899{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=949F1EFFAE860871254C966ECF6E9763,SHA256=C6F2CCA1D196838DB14282A9B91A3A8A258640DD7D44DBA68D744FFB31319722,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:49.040{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49767-false10.0.1.12-8000- 354300x80000000000000001424544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:48.447{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47840-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:48.276{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-15425-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:50.040{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810DA56CC34D09F2716D15A72DF59B8D,SHA256=FC4CACB2BB14E80E278802159FFAA7ED3833886B8715FA8C3960E9DC8DD16D2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:51.136{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-002MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:51.977{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C13E67C9D6E1A2D79B822B93325DA630,SHA256=8E051ECAAB451D30CC2E9046809ECC0AE503AA402C5E9D0FECDF83A4739CC045,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:49.606{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53714-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:51.055{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02C1C57CBF1A3A9EDEB6A55F05EEBE33,SHA256=FACF0941018D217A5D0C44A380CA6C521F4D4709DA96605DB0F2E49F271F9F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:52.152{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-003MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:52.104{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E179026044FC45A1A4621BC288084CC,SHA256=2A8908D16BCFEF1930B572EE6E58D527AFD425C23BB2EAB1C642AD33AF1CF1AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:50.718{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:50.159{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-18529-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:52.070{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA5AEA15196E99A76CE51DFE27C377F,SHA256=CBD735C8EF08A3206C5FE19B95FCDD567464E5807A8C51A55A4F44B28DBA48C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:53.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D017C17FD980464197193C34CF184083,SHA256=8168AF816CE6173973D83B9BBF20DD3C888E9883120F39F08835387E7E44D40F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001518997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:53.172{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F727B455B7159EA2C77154B69CAE15A,SHA256=FDEFED742412EA4CE35F79AB305C76DEDC3900E65EC3E1C838CB394A5D42F0DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:51.796{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6597-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:53.117{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D70CE193F0B693F6FA149A920FB453D,SHA256=7F74208877FC218605C95F4D93A491BDCA9CD8D647B0472061E582584EB5E797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:53.085{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=786EEFA8FD7D7D631103772986011004,SHA256=3688089A6D36A0DF49FF0DAE1CBD06A7A2E7535939FDA4D68873A95B6D14562E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:50.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2588-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:54.394{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BADF810CD401A313F3E5923EF911A9,SHA256=F2D486B7CB347EF9BF67960A25CA7E66A53C29C32B9CAE7A42E2CB8D14D7B08F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:52.938{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:52.103{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21772-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:54.195{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=22A5C993918470173AAE9B843626E50D,SHA256=5295D3D50D1EA18E15CC109EDB001F83EFD601CA2228F1738CE8F10A7C6198E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:54.085{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6403D6364BCEBE5C1B7976B165F6494,SHA256=134EA3627C9927362AB50A996FD2EB40F051AFAE186C0803038231DFE013718B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001518999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:51.539{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50045-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:55.537{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39BB4B474E8E2D5B83C4F2DCDFB0523D,SHA256=0D67E0F1B826D08CD70D951DED701619086BBB390B941E84424D249F01256858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:55.272{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F33825521E4D0474EAB5DD7E75671585,SHA256=BDEB70E9CBFACC180D9AD8E400E6103955E8A5BF7088B2B580268F2332A47DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:55.100{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B692F2AD90127F60238A599A14ACC82,SHA256=49630B82AEB46767E66EB1E596AEF30A8248F012734861156A17FD01B5F511D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:53.350{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001519004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:44:56.805{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xe5f28010) 23542300x80000000000000001519003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:56.555{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F493CEB1CF7750A0675C2C28CD5C0935,SHA256=097A1E54387BFF499A09188FC19C8B5B166D03F02862910BEA9595384E1FA5F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:55.140{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-23878-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:54.930{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49768-false10.0.1.12-8000- 354300x80000000000000001424564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:54.030{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-17860-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:56.412{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A42D77C10A688BB7092CF00FBFBC204,SHA256=22A3B26021E6E3FDD2D28B9BFDB2F7EEB4785A4D41BF4051F50B801F9D40BBA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:56.115{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45D7BEA6EFBDF6E3EDC056A3AA46F83,SHA256=D6F81D3005F41B9EB910220CB52C9D2317F4DB08746E0077657E8E79D146EDD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:57.557{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D74B6D0B4D97DDBC9673C5D157F276D,SHA256=152B16FAA0CBB97BA6A57767E194AE9FD5A48EB64E4761D247A1D7EBC264D198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:57.490{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=349368E6C2FE8710F94E84798D713FFD,SHA256=60CAC41328AFD19223F9676BFD1137F63B354C19C8FDD38B9F6C71FE41A1F037,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:57.131{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56360ADEE7B1353E79C7FAC90072FD8C,SHA256=50A9DDE978F09FA9F050B46A07B62D1AB72321081378022A44FA9FA1B9A09873,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197A-6154-AC00-00000000FE01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-197A-6154-AC00-00000000FE01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.669{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197A-6154-AC00-00000000FE01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.497{5EBD8912-197A-6154-AC00-00000000FE01}2068C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001519008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.591{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=663D4C91D6FF3B8D2700442990EE35F6,SHA256=387A155AD404050797EECB524C79979992CC0EEC316333493835077399F5A5B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:56.439{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:56.234{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-29632-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:58.662{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F274722F45052341B1E62A9C7DD8EA38,SHA256=A6EE21EF49ACFDB793E39E935793B2402964CA649002C9A3BBDE9A3D0710CE89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:58.146{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31B3C31147FC6C68FC59398709DD18D6,SHA256=35DE71458E1BBBEA38FC408A77F2F5A0BCF21DA82F273B06BC463110ABDB4B6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.434{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0137A1552C9937E63B4EF66BF8163B9D,SHA256=FA51F6DB999FE67E1A6C4004F03E982EB9612D7FFCFD90702BD7EB77D191B684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.434{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67CFB0E601FC0CE3131CB9E781D76EC0,SHA256=5667E1C2C26D2ACEB1F3549F557B55F53FE38A25C3792E72BF59386A96288598,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.827{5EBD8912-197B-6154-AD00-00000000FE01}24002688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.624{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DE014169301823CD57A5D0566516F3,SHA256=E1B597B850A683132F2004BE19A77F718E807A37F3AB0BD70A8135F3A1C792A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:59.771{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C556F686E33DCF9B8D864D8AAA6A3C02,SHA256=03A8C677CEDFAA874F912B3F8EEE879F8C0D12E3CF70ACE68F1303715A29D1FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:58.091{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3302-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:58.053{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-3191-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:57.326{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-35389-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:59.161{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB9C99AAF2B4B19C54C0C8C49FDB5592,SHA256=76C2F43D83C2CE4921753BEE75ED60D49DC4E47CB0422E0AA02B3B20554E82F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.561{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197B-6154-AD00-00000000FE01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-197B-6154-AD00-00000000FE01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.545{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197B-6154-AD00-00000000FE01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.390{5EBD8912-197B-6154-AD00-00000000FE01}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001519018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:59.530{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0137A1552C9937E63B4EF66BF8163B9D,SHA256=FA51F6DB999FE67E1A6C4004F03E982EB9612D7FFCFD90702BD7EB77D191B684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:56.668{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50046-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.641{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D3CC58F2F7F4FDAD9A9F4A75CBAB9D,SHA256=FA55016F1C6AD82D12E8CEA6F161FF043AC30E6019702C5AC507D7623554611D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.778{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54259316- 354300x80000000000000001519039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.590{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50047-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001519038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.590{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50047-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001519037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:44:58.531{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.422{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197C-6154-AE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-197C-6154-AE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.406{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197C-6154-AE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.282{5EBD8912-197C-6154-AE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:00.895{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B67CD054D69887EF46B62CDF83EFF3E,SHA256=A26F7C936670E8DF958FC2FDC93C8480C3B1B4A55D5E430EF119522CACF07918,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:58.507{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-41564-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:00.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FA0C400CBEF8BBC5544232FEFDFA3A,SHA256=812BFFFC9BF44BF67736D1E20FE2E59E57B0FE2DEDCECD73A870F6E9DBC41151,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:01.668{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D1B9B2BECEBC916141210D9A4CD7A7,SHA256=A3792BFF5D2DD72766FAE7737D1DFD2C066A05B3F062C8DECEF063E59932D9D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:59.215{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-7781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:01.177{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E57C2D7FA1C79312976CF4E60FA25E,SHA256=C6226AE232542CA4672EF1887D6183D42F5822AC5BE5F38C6C27101911CDEC33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:01.017{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01153B5C4BB5DCE002D20F64C0CBC805,SHA256=CCBBD082F22E75274AA8BB4BBD55E4837A32A3C2629BB87FA5A39536E4E7288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.779{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B78081FC8BF0268025CA631518F418,SHA256=DBBCAF8079682CC57F13793B242B409F49615C53CC9524ABBFAC8986423C0811,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:00.868{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49769-false10.0.1.12-8000- 354300x80000000000000001424587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:00.733{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53142-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:00.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-12467-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:44:59.606{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-47219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:02.192{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242328E16369A4D840751580E35B9377,SHA256=1901922B1C288CC9D5984B6BA95072BAEC1F07A89384A5309C170C8575E3D784,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.638{5EBD8912-197E-6154-AF00-00000000FE01}4364848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.388{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197E-6154-AF00-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-197E-6154-AF00-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.372{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197E-6154-AF00-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.216{5EBD8912-197E-6154-AF00-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:02.130{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B43D7A7228BF60A2AC8E93F849FAA25,SHA256=D040FC7374BF5D6FC705B5A46656B11EE77593FBAEEEB614317A8C2C3A83247C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.875{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85F98F2BD4FCB64F406B109B7E920A2,SHA256=488A03777B8098FA85DCB8AD42A0C35095BA8FF1F870A3514A43357A065F9C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:03.208{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7839749D3FCD4DA7553A080E7DA3AF7,SHA256=011FF08F2CF01934C9895FEE0F978D7B88D161404F483D687D3ED579B5671100,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:03.192{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF48E1D84146B7C15E9D3E1A29FCBA48,SHA256=4F70CA6B81B41B9179F29B793BFE533B717848E6E895035F093D0D3C4CA6D313,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197F-6154-B100-00000000FE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-197F-6154-B100-00000000FE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.781{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197F-6154-B100-00000000FE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.610{5EBD8912-197F-6154-B100-00000000FE01}4556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001519064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:00.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-15625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.390{5EBD8912-197F-6154-B000-00000000FE01}45004508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.218{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=499FA1E80C1334C77BFE09B387FECFFC,SHA256=A196AEC23074E9FDF852F471B32E1710E60BDC4971D954491F774E52D942A4CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-197F-6154-B000-00000000FE01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-197F-6154-B000-00000000FE01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.108{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-197F-6154-B000-00000000FE01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:03.109{5EBD8912-197F-6154-B000-00000000FE01}4500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001519076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:04.909{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65B2CEC3B65E1056E5B898FDACB539B3,SHA256=43982B29BAEB2C5E0145022F50567D33A22138ECF87B514B9C459E91C557400D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:04.286{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D368189E684EA4B7B7E93C4DFC01F85F,SHA256=5A2E23A263C61F792840DB2C2A35DCD21CB59E6DE33FEAB6DFBEA5561746FF6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:04.207{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA8B0334FD2430850599B47B4F158AFC,SHA256=D387B0F71F89088CC60EF9CA653CE67F7798293924646D813ADC6E3DD9F56AB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:04.815{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F7BE917C5B0CE53B6F79E2713EC7FD6,SHA256=D45CDAF9959E7DC9AAC426DE1189106565E6A8E89B46B98F50BCD19F98829699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:04.110{5EBD8912-197F-6154-B100-00000000FE01}45564596C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:01.951{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-59496-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:01.419{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-16785-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:01.176{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-31736-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.910{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1227ED5764E252935D878D257302E195,SHA256=05363E2BFA98795B3D1CD8F386DD66AF2B493EF9ACFE782C2BD9EE7C4A5FAF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:04.192{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-12383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:03.588{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-25319-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:03.309{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-36023-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:03.029{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:05.457{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31F8ECE5F3ABE2ED6BA954918AC4D12A,SHA256=17D3721ED85D158BA74D4F3B13AC354393F4798356158C301594C464812774DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:05.223{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18FC562C4FFA875C454140EA2225ADF,SHA256=7178436DF7B0C87245AD1FB26D8B40853D19CE8F7E7001F69D1E9500E91E1797,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1981-6154-B200-00000000FE01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1981-6154-B200-00000000FE01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.190{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1981-6154-B200-00000000FE01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:05.019{5EBD8912-1981-6154-B200-00000000FE01}4656C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001519077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:02.583{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50048-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001424596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:02.498{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-20986-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:06.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6DCC0A0DA3E55F135D8D1892A82CFA,SHA256=C342B374EE4883D23FEC9FDAF776A454FD1BB2060D5A037C4CEE82669F6E75D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:06.051{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95F66011568DD6D0EBCCBC5A879BA7B,SHA256=8ADA7D97554FF142A59EC9E8713E77E505ED183EC921304E1C640FF7281305F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:04.897{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-38935-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:04.715{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29807-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:06.613{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF5319A6EFA9F831E037747F68CFC304,SHA256=FDB9959339A224E9EE9F011EAEB8E4AAA1C06D477A8C9239858BA3B5BCFBE9B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:06.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DEF460513AFF626D09B47715B36A0FA,SHA256=9016D22B4F5F231E3E817F9A4AA39EDEBA8756BB6A72F62A8A2B161FD3ACE2BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:07.914{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15F51AC114DC248345C97082D14F8B82,SHA256=915C0FFAD4511C4EEAA31C0D207F7C3E95F06242191DD11609F72BC6D54614D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:07.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8B235045074D3E058646CA030A2BD47,SHA256=9087C66321031D402ACFA1836332D2969E77B99BECF60DBA3E1930D7EAB3D2F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:07.238{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448193C1E962EF10DBF88BE800A3D8B5,SHA256=FAA90596F2FE39A7F24BCD18E01404502ED12E1003A8D31FB42123C8A17C5184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:08.415{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A82CC2CADD22485DA141F3216CCF27E,SHA256=D0B897D230D6DA92C2AB78EA9C1D06B80650C0ED1EBCE5F990EC4ADAAB3DCE7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:07.532{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30057-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:06.904{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-38403-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:08.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2386AFCCF8A4F14281697A1554E62FEB,SHA256=0AFFC8E18F3D048792F83287AF7F00E8448AC1D6EF758AB9E7FB584DDB833093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:08.254{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D54B26370F39ABC50C816B77B4A44B01,SHA256=1B04278D4BD27D65406FDA38BB07FD727A295174311110D4312AE282A93F82DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:06.452{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24114-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:05.977{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49770-false10.0.1.12-8000- 354300x80000000000000001424610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:05.827{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-34274-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:05.299{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-18100-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:09.104{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B16F228DD85D2ADFF140CA67368C9D,SHA256=0F651930756423E47F2D5FCA652AA5BD3F660ED91EA0B955F930AE522697D76D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:09.270{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C871B4912939B48E8AD8A985CBFED2,SHA256=B535478424E2864D13920194649C3A7ECD82DC8AEFC41DCBA5356C3C2AD1C372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:10.153{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0138E4C19026D748C6605684B993872B,SHA256=8666E0018D84D81D7AC4E81E2CD00162B86820D7ECCC4FA512A47CEECE6B4F1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:10.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7801A8469F0E5FFCAA5FD511C01882,SHA256=79EF0DE3AEEA5F74DB1BE08AED49BAB964CE52F8351C294546833F140FADF17A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:10.020{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97E37493BF2F3113190D99010A003832,SHA256=108674E5E7BF0C2393326D43D91195BB7DA357310582CA395C0C01C300A98099,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:07.998{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42863-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:11.390{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2895A7DE35AEA5B4D91BA5AC1915DDC6,SHA256=4BFBBCE3B992EFE88B30B250655C76126E065D87A9C10D3CC9D36982ACF4DE8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A85583A6EAF1DFD23A2DE483FA7DC533,SHA256=CC1E8585BF191519F7510B022B6825380A79BD9803F1C98C214C58956887708E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18B8345B0CC676A42FC62855852A566D,SHA256=AA90DB40B42E78992AF55B03976FDB69C6195C5B80E6776E4B67536735E3B117,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:08.631{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25126-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:08.552{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50049-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:11.108{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80B91E3D1354B40834ABF61F509EB9AD,SHA256=C2A06BFC4F315FBCFE78BEB09A24858D8F4B4753AF285C6344DCCBF53419C344,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:09.107{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-47335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:08.765{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001519098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:45:12.830{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xef7fb290) 23542300x80000000000000001519097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:12.626{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44366360EF197FDBBEB8CA557F203E85,SHA256=6AC84D0EACB280660FFFCD0AD6A5559EFA4507AEE10ED5B91391F028A4A3258B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:12.566{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C078069812A45A95E98600AED7FEE0EB,SHA256=876FBF3EADA1F3294D971D725753FF60FB2726970A6BB548D6078F8DCB8C6483,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:12.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F979C294AEE5AFDE005B3C2218F6930C,SHA256=D9A45BEE201F5F2BFC231E9F91E0C0DDB285EA73919CEC8B97F7EF3DB8AD2A7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:10.202{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-51633-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:09.843{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-42008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:13.863{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72A0D049BD2B2649FC7EA661CAB5ED5,SHA256=7DBB700D240389F68567E00DA776625D2CD619CC2CFA56F6FE4225AD383D0067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:13.691{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=61ABF73B32485B3AD27C5E2856EE43F9,SHA256=A39CC853BA0312376DC85AE7FDFC28B8807A3C6512B6CE4374613B821FA07E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:13.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAF8C0F3BB967CCA3461B34D4A6CA352,SHA256=EDC186E637D7EC24872389172C83C54AC8CAD34FFB5CC15551F1D6CCFAA3A292,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:11.170{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-28704-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001424630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.296{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.264{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:14.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441A267EB31429238696469E6C0A9B4A,SHA256=EA52A3AFEEE794E7709548CDAFBFD5BB7BC041E536A30203C8EBDC6AF295E8AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.770{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A124ED12DF924EB12421CF67F051B170,SHA256=ADFA2876EBC6DF8F66AB4BDC536C63AE59ACCAABEA23C4C16715493474AEC39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EC63B375B632C721623C979A549B47A,SHA256=9EE9BD1ACB1372487F06FB721857F78E1A06E6342C19DC60D66D1FC7A8D7798E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.348{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.316{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E3354C5DB0AAE4C7DB73486586DDE7CC,SHA256=3EAD33712D98FCEFD5A2B8A37CFE26FC80C1F035B192F7CB9E47781A3AC1D40E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:12.421{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:12.401{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-1260-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.946{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49771-false10.0.1.12-8000- 354300x80000000000000001424633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:11.470{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-46335-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.929{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E4AE06F6CE9838735F26716B39501F4,SHA256=29393B766514B972FF4015147479BDBE99BE982C3A60886E58AF6B81FE3EA934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:15.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE12157D2BE2A3491901BA63CBE0F4EB,SHA256=95DC3891833544A09FB55AAF247DE16E328D809F740A23B3AB2BD7449D87101F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:15.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ACFBA3104C44AA6B907680E56B4DC68,SHA256=F08460F454BAA51A6E2EE198F246CD21D205C4FD042171E6786E218B9690CD6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59E0E5A9202696E7FE1C1CC63B8DF53D,SHA256=DC1A6C6708DC52F63605F29C7773A15838F6B716B862395E2A8F4251F5ED5245,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.303{5EBD8912-194E-6154-9700-00000000FE01}50683324C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001519105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.303{5EBD8912-194E-6154-9700-00000000FE01}50683324C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001519104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.288{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+1158a|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001519103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.288{5EBD8912-194E-6154-9700-00000000FE01}50684204C:\Windows\System32\RuntimeBroker.exe{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+3810b|C:\Windows\System32\TokenBroker.dll+22ee6|C:\Windows\System32\TokenBroker.dll+114b3|C:\Windows\System32\TokenBroker.dll+d335|C:\Windows\System32\TokenBroker.dll+d669|C:\Windows\System32\TokenBroker.dll+1ff53|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+8addb|C:\Windows\System32\combase.dll+8c2d2|C:\Windows\System32\combase.dll+39b93|C:\Windows\System32\combase.dll+8c4dd|C:\Windows\System32\combase.dll+37f4c|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x80000000000000001519102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:13.614{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50050-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001424654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:13.514{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:13.513{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-5901-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001424652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:15.004{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.988{69CF5F33-1899-6154-1100-00000000FE01}9722592C:\Windows\system32\svchost.exe{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.963{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF9930E4206E817E991081DC2B73241,SHA256=04456E9FA944EB1105641E58FC638F515C419855F2BF296074C260C4C63276E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:16.426{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17A8FCEBAB5EC2E7D22C00EECEA0DF1A,SHA256=C0CAD2B35F712C61CB34AA0E94EA50DFDBCCE65E44A94E5A839EB75B5BA63D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.790{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6DD0AF4FDF28512035685EB5C082C38,SHA256=C9EBCA27C4C434A2673BA750D4CD53B36124A6073FB0CB7AC8502CA55444AE5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.666{5EBD8912-18AC-6154-1600-00000000FE01}12721516C:\Windows\system32\svchost.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.666{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.571{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.415{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 354300x80000000000000001519116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:13.959{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45122-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18AB-6154-0C00-00000000FE01}852108C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.258{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.263{5EBD8912-198C-6154-B300-00000000FE01}3740C:\Windows\SysWOW64\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}C:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=6046950FC9CA5B7A7E084C189658DACB,SHA256=5137C324038AB2E8EAB4F98A20BEE9F121346D62E4D907CA1E4A860F4C54EAE8,IMPHASH=EC90A0D780E0DD23BA7910ABD6BF7E32{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 354300x80000000000000001424660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.622{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-6953-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.593{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-10332-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.506{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-50808-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:14.133{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49772-false10.0.1.12-8089- 23542300x80000000000000001519126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:17.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=010D979531FDAFB0BA1C0A9F5DFE1629,SHA256=74756ACD90AD7C076E5F10898134B6FE1A187A0FA25D2B8390ACBF887DAF96F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:17.442{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83CC8261034A8EBE59E754450258FE56,SHA256=C9C7791E80353548A61451EF7D31873318DF049BB56148497AE601D5DA6C5A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:17.917{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D8AA09308719E47C107EF12E4A23FF5,SHA256=0E2258322D24F8B4F21F3672C464C0AA03BCD8FB8155AD8A5833D86FD24AC481,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.084{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-51124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:13.984{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001424666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:17.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5C6D613DAAAC9D5E8D979E6BCCBEE9D,SHA256=0E9A974F82F2CFDB4F0E75F3E9CF2DC120DA2FA9415AAAD3A67FFA33700FD5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:17.410{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6F0CDD299C2D78B003E13F938B657F63,SHA256=B4E0286FFD6DB7B386300616C021BB09CD32B44892C925433CF78C1E7E944D91,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:15.826{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-15197-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:15.811{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13426-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:17.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7C9CD92F8A90A72380C42E80CA25491,SHA256=FB0D503972CD999A99999FFA988A4E403C0E546B10079C951509D2649B79E3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:18.966{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB29AD3C6B22FFF0594F1619EA497814,SHA256=1322149B16E6CC1CC458770FD6642DCDBD4D6735C51DBE313F03490A627FDD89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:18.473{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E26B4A252275DA2FE0F3FECC9C2CA9,SHA256=81DEC5C27141C263FD4DF8BC4DB90664496F1B3DA2DE21946C9C3DA038E688BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:16.275{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:15.724{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51537- 354300x80000000000000001424669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:16.776{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:18.192{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E65A43EF68B243264E27E4147268ECA7,SHA256=DED82DDFC0B586E3058351A6260BADC2E9B4B15F64A59B47EF2BC9B462A2E912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:19.473{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FC25BDA1F3432BF27BEF9B2CD7D370,SHA256=2154AA213560EBE1987D3D5E54AB4DA3C9BE6BF3BC9B369A12BB8AB89D03AF64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:17.385{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4497-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:18.997{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3728E18CE211E8A171EB6B5ABB552BE,SHA256=1782E55B9A36BF82BA919249638D0718BEDB7EBA6B189380BA8F55B4556DAB10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:16.918{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-19360-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:19.285{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C7F71F4117239ED29F1298E26641284,SHA256=32A1E26681D92A8E3690B5FF9D51EFA94CF34F5F5FE8E2C7B75EF9E5F49B4C12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:18.108{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-25467-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:18.029{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-23985-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:17.055{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49773-false10.0.1.12-8000- 354300x80000000000000001424676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:16.996{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19609-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:20.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBC7996C5AA3F2BE221967677F371FD,SHA256=AB86C3AC3FC2B2ADCDBE150000EDA3F9CF8AD7C7074A4D5B079C63AEF936AE66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:18.530{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:18.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10489-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:20.077{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=381E440E1A64E591F0CC031D38187218,SHA256=CEE8806291A205C6CE798EA56E5AC05E039BDF30A7AD4A95D27BF4B87FC77F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:20.030{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3E22A8AFEC72E5A297BBEDEAB243EC,SHA256=5DE30C9758716ECAD66DA09E03E68B17B7BA34E480FBE48C6A99755970CEC25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:20.379{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DEEEC28C60AAFF42784017C12AC936A,SHA256=B7057786761E09B621170362411A82154B12E53FD2C4A34BF74A5C8D79BF03D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:19.605{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56639-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:19.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-31383-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:19.108{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:21.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505C81FD0C16CDF0AE310BA2E33ADA8B,SHA256=F8BAF93827E93C654E66B90C4B015E6BBE5AD937DFFF7DCEAA96B666853A5C67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:21.536{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=710827166F1C33819A852F9047B9D90B,SHA256=71E5DAED6BED63F8B08F519653B8BE658FF8660D3632E91532464E03FC89F05F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:19.555{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16157-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:19.458{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50051-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:21.204{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB5F08AA70FEF806B934A731EF1CE78,SHA256=A842F776E682D93CB8A0D7ED85FD6C9242141886771EEDA13B9D4B7585634828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:21.110{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D230EA71908011D54307AF3F335E18AD,SHA256=B1933E4D64A1AE3C716C9AD7C102F98AD7B93E9541CB9B050F358EC0E1F34AD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.897{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F44CAC67DC3D6F9A0DB84045E43C968D,SHA256=EF30E4726ADC91F60B2C21F10CEBBFF030B5EB1B1190FF84C427C7F4AF3CB04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.897{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F5C6D613DAAAC9D5E8D979E6BCCBEE9D,SHA256=0E9A974F82F2CFDB4F0E75F3E9CF2DC120DA2FA9415AAAD3A67FFA33700FD5E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:20.279{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-37297-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:20.213{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-32731-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.619{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=05C98C566A5EFCD4FA332AF8DB82E352,SHA256=18C61281FE8469A63D688711354E9C1127F6D49E2062F65EE9FDA52E1F41C164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C89E4309F6F171DC883EF1E7427C904,SHA256=2750E8538288E327FF359F1B2BC0AFAF4E55280EA044AC9B9F13EE16FDC638B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:20.665{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-22354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:22.283{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=783C3D2F6737B66CE1A78E474FB2C1C5,SHA256=4DE41C02482E3EC0F6553965607128FD0D8FFC933D4E61597EFE49F58D417828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:22.283{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=172ECA032C9B0C2E258C435CB20DA415,SHA256=014C657C748729BDC5B8B1F12E07D76FAD94174238D54A8B7927CA555A54DB0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.338{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-003MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.272{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:23.409{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=507DFD1BDF82EBC74C79C3904692F5D5,SHA256=F15A0CCE5F66135711689E1B68915849C27199EB6DA870DF9C7BDDBB4715442A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:23.316{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B79419F2C854FE38DF040792CEEA4C,SHA256=4C65C68811BB2C4F4E9EE3EDF0E7192321491F9AD0C09FA37FAC38F55DB67E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.708{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=143A9954779C6AE05FC48DEDF54D4B1B,SHA256=E719CA6C3FF482AB09157CE87104D2D12C81A574E8273A0CAC653D4DB4D60A92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.552{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A92B67447B41B4F79EA0C535C62DBF4,SHA256=C9657BD4E324F612DC359358625B21AFFCE5D9F0F22B56C495AD75ED29614D68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:21.396{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-37575-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:21.381{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:21.357{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43128-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.351{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:24.820{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3DAF4AC46189F453D7C2C78192912E80,SHA256=910A3C06C743709A260B49F9CB9C197A50A3732906C5318B2AC8CEE2EF01EA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:24.555{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35979AF184F016AC9C14BB097D878855,SHA256=66151148FDA2DDCA031227B4DEF2039219A52BBB9DA60E6470387829F144C5E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:22.879{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-34323-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:21.809{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:21.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-28203-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:24.552{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B75F468A5EEE2AB8E99A4FE9A15BE0,SHA256=F2D1DF1E4AC188E07B7AA8DDD160AC50B269BF8B244A85C362E64536492B01EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:24.521{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6FBB49AE82B45DFC11131ACEAE49A672,SHA256=1B9F2B709ECF8342817A9B2AB0845E1D6AA0BC810648856FE9F5FE5BB9DF8C66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.501{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-42014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:22.436{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-48844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:25.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBAFE46C2A8DE6D1D62BC3D3E439A7F,SHA256=D922F7E1156E6D715CAB777A3021042C278A193E3BD88CE56A2F612846E18DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:25.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3126070EDBEE3DE9EADB9D949080946,SHA256=D9F7DE18307E2D8D8798C8F50428E834D1A1DCFDE144C808A696DFE919AD6AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:25.899{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8F62B276835EB3329B203D413129C0,SHA256=38CB719166FED088FD28B91A0E530B08B48118AC5F712A6DC5EF7F76362DFD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:25.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601D5FD10E2405E84421E31D49F9555C,SHA256=C27BBA11C781E8E86C24F3204E69920F55C41104EDEDB40D15F9B2A3A29BE489,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.655{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-46487-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.543{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54577-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:23.025{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49774-false10.0.1.12-8000- 354300x80000000000000001519155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:24.331{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-45456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:23.981{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:26.728{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CDF29A1A7EB6996D8E05BF93FD250943,SHA256=2066AEACACD20F95287EB69B77684178FB7D8D09A1FF7901A6C8993BE4A6F61C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:26.696{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=882E8AB81CCD60F78DFC70DEE8F9AF5E,SHA256=542A375E822A8F515A9F06431F4C31AF2338A885C0B3A4B20B19007D090CC659,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:24.735{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-50745-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:24.658{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-1765-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:26.586{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE29974C800687B6B474EDFCF3597D05,SHA256=F350E644B7679BC4201399CCE5D490AA411D27EB75FC876BF84FBB6BADE2B4A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:27.807{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB3E22F444DFC9347D39242ED9CD5EED,SHA256=38F86FD9ADE9678226C9824F15743FCD315ED0C3CD8F4B3D618473D8B12056B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:25.068{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46295-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:24.659{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50052-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:27.698{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8EA503AAC42198BA7222E78C87DC643,SHA256=624F191DD4E0420FEFE5E8C90B451B505DD8BB9BCEEF53DCEA9C358F9D9E5F81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:27.680{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F84357843932B31F93C3D6D96DBF3FC7,SHA256=FD64522B53169A19FD081DCE86660BF905918419BDB2ADE26A9E58BB609866B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:25.751{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-7686-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:25.562{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-5776-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:27.039{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB7C7DADABE9FA8345EF4BFF438E3166,SHA256=DB85201C70ECCB10067683145B9EC5B85F7F9D277B666B5A65C7501E3620518D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:28.934{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C178E3ACEA8048CE44512028BB9B74A1,SHA256=ED83418B09DBFC5069E1173B8979562A3454F4793A26075283931CE4596F0BA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:26.891{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-59316-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:26.877{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-13560-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:25.813{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-55099-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.711{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F5BE8D81458DD71CAD357DC49A6745,SHA256=22E66787014B42BCA8FA699D54607FCC46D499A990EC483DDB731DD544A5B39E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:28.887{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=41E90952747FAC557051B3C73DA083A9,SHA256=5208CFD564E4CA3DBD40F0DF7A3AFBFFC75ADE98CA6E9AB3C470CF85A7703458,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:26.181{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52297-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001424728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1998-6154-9600-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1998-6154-9600-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.539{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1998-6154-9600-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.540{69CF5F33-1998-6154-9600-00000000FE01}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.149{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D15E339E0FCFCC885859B8B78B15E3B0,SHA256=ACECC28723923A2E6438C0B17E38643879679B80390788B8F5AF896F310B9753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.743{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6395375C472EA6AF5EB288D556959E,SHA256=DB875B828157D3655D83053487E8B6E47D8E126103C3930AC4113C83A37807BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.743{69CF5F33-1999-6154-9700-00000000FE01}16681828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.003{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-19389-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:27.981{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-4502-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:29.967{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A20B114E86DCAD9E9D69AD5EE8320459,SHA256=977B883E3AC5DE7744AA89A0C58FFCD99B47BAFBDBFAB9BAE35D13EED69A87EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:27.324{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-49134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:27.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001424746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1999-6154-9700-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1999-6154-9700-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.508{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1999-6154-9700-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.509{69CF5F33-1999-6154-9700-00000000FE01}1668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.258{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1857D9CE487AFD63C44B5CAEA849EF46,SHA256=6CF0478C3E8C92BA4149657E0665EA5F41B15063EF8D1DCE2FB4D816D8737FAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.078{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-8958-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:28.933{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49775-false10.0.1.12-8000- 23542300x80000000000000001424765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.758{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6EF69DBC2A99B4039C308604B0E7655,SHA256=85B9019A105DD4A4DB4FFB84F9C6CF04991A6FD12B912083499AC95D772B2471,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:28.337{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:29.999{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A54E8188E6BB768D82FDC890949377B6,SHA256=689E88FAE7FADBBECC12413856D3CD5A8DAADDAA34B2F998983EA634F518E26D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.337{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F756486608A3C237D709A48648A6940,SHA256=344B840A1B1A72F5F44E1171E6B5361903B3ECDD7B3DF1EB5EDFEADB84AA59F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-199A-6154-9800-00000000FE01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-199A-6154-9800-00000000FE01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.321{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-199A-6154-9800-00000000FE01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.322{69CF5F33-199A-6154-9800-00000000FE01}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001424772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.204{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-30664-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:30.157{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-13214-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:29.110{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-24559-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:31.774{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9BB60EABD78FACAB25CC83C4155EFC5,SHA256=3BAC252919BC1502015322DB93231C46421D32A92AEDFBE08B34BA4BA99AFF2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:29.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:31.094{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B30173B6D05E8A340FF0F746C3EA44B,SHA256=9525BC08EB3CE181BC344B2342610930F0FDE3E07C4094ADB136423328572637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:31.016{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=135FDE3B8C32F529283D9E89F960E8E0,SHA256=DA43046EE75B913DCE866ECC3B5C6EC99C5C3DB2EA6E528CD91D77A39A66DD1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:31.493{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6A04A7B68FF154B6DB1B1ECEF8405E5,SHA256=0613DD3A04551D28522403626AAC868CE67DE0A58DD8E94B1167534CDD0FF37B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:31.341{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-36695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:31.313{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-17795-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.790{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F35395A60A165307F5AF6C768F812A49,SHA256=5AA3E04D466361294A19E1954CB87B63540B31B2510B12AF28EC9BC2862DF2EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:30.793{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-10149-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:30.540{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-17427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:30.503{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50053-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:32.174{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6DD4018C430046AD841A596B1843DC0E,SHA256=0FF7FC66FDA5DBDA1C7DE7644E1E1A910AB45CA22BF1AAF6B1B06FB63243AD33,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:32.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C365036BCC5C1F291D862274E9659568,SHA256=440E8C930A5F1536CD6833A77228265EFB622561C941EBD11AA2737217E307BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.571{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0C46CF828087F33DF31BEE2C56533DA,SHA256=D657C6B33C0874EB2EBE3F2D0AFF94E01D15A67E41ED93398633860160791C6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.806{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D77122EFE9DF4E87CB4D14D90097475,SHA256=72B36ECB8E30D9364678104299378D90A393196E6B33BE82E34DBB0BDAD25426,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:31.899{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-16105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:31.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23186-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:30.817{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-10283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.379{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.363{5EBD8912-18AC-6154-1600-00000000FE01}12721516C:\Windows\system32\svchost.exe{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXE0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\wbem\wmisvc.dll+2624|c:\windows\system32\wbem\wmisvc.dll+2491|C:\Windows\SYSTEM32\ntdll.dll+7de1d|C:\Windows\SYSTEM32\ntdll.dll+3a969|C:\Windows\SYSTEM32\ntdll.dll+1e86f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.254{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=438D804977B0D8A838B6BE7282955154,SHA256=392C1EAED0FF62C718E173439E9F9FF98D6159F9CEBA374F67D925AFCE271B71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.144{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5C56A0D332D957E7F4385416345D037,SHA256=24D55EED668953B285369EF9160AC7B5FADE62DBF8A991F2D33685FE86C1C65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.650{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBFADC418ABFCEE495D032618F010805,SHA256=7E80B1FAC3A1177CD68C579D640B9D81D6068BF3ACC9F64CDB98A82BCD26E304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.035{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E94EE5139FA89CFE0755529983370625,SHA256=3EE7BB7E3A466D92A13419F08B3D0FA73CB209FDC1A0DFA3E32CBC2DBDCA7ABA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.182{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.148{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.117{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.091{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45850-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.048{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45706-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.021{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.997{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45486-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.972{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-45349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.949{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44993-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.923{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-44359-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43996-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.850{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-43791-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:32.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-22144-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.806{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E60702358B7F4C9CF328B0D74506E7,SHA256=70177BC99E9DD5C344CA518EA89BE51405638E69F633B60A834F260564DECEA4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:32.696{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-29219-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:32.066{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55405- 23542300x80000000000000001519190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:34.333{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BF02CF6A13F259BB53AC91BB7C7B893,SHA256=9BAB63F043B87A807F76955119C2E7FEA34E184F495BC965F60FB7764B2ED296,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:34.318{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF3B1B40E5301212642D7E37A88BB9A7,SHA256=543CC7396056CDBF3BCC9ECA635178AB6EB8AF767952E4FD4AF6BA6F457B7176,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.759{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85373D57A9E7BACF51F20C7C6B22D973,SHA256=C95851204EFE2BABBD7BA475A9ADC89A1805BED4BA363158E253F255C489AFF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.812{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-34940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:33.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-22163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:35.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27A62249FE68DF6854615792CEC0116,SHA256=450B293D3C801B28B372B75C9F5AC5084C7F84B4185AD1CE40E9E1154757C394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:35.320{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB397B3AB6C78182FC254593B1BD2E4B,SHA256=106234DD012021AC0F78B79A093A7710C23A8015F7D4E84ED30F7E0645285EA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.192{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29330-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.170{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29205-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.133{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-29030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.095{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28933-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.072{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28794-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.035{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28633-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.998{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28495-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.960{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.937{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.899{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-28134-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.862{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27957-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.824{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27770-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.799{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27705-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.776{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.737{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.697{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27368-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.661{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27232-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.623{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27145-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.601{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-27065-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.578{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26972-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.555{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26799-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.517{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26703-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.494{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26594-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.469{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.65-26513-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:33.399{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-46810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:36.540{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92A67057322E7A862FD371B754BB0662,SHA256=4DFABC28B7646A848BABEB3933C43C625EA06B5338B78A2C987B89F78F5F7B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:36.540{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742E6317305A1B26D88FEFC2D6E7611C,SHA256=605BB875FCCFFD7AA4CC9C05B3565441966AEC9A08C600192234EC9463E88082,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.760{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53844-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.738{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53572-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.701{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53433-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.677{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53236-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.640{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53108-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.616{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52898-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.579{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-52738-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.275{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=071EF34AD54A365ED35DE51B3E4FCD77,SHA256=04F45E33C6F8D4A2A87A7DCB70CAA11FBD163595D6500E6098FF8EAB36F1FC49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:37.651{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51C1DB1DAFA0D56DD0ABF4549839B249,SHA256=FAB2DCA392832F6A11531657774DE2D6A89CB4241EFC0F12A32E4D810361E542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:37.557{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35B3F40C0D92DD6B9E000E455132338,SHA256=B58B57745D3F11525E5B3C258BF4726F3EAC32342655C91BD5C4DA169B26CF6B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:45:37.572{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b505-0xfe3f04bb) 23542300x80000000000000001424827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.291{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=698E597BD2AC12D5FA18552B0E717560,SHA256=B06DF55B004F1FB7F2444E9F89EC85A0CCB010F7193C5100DB42CB9636AD3B74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:34.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-28502-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:34.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-57936-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:38.746{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAB58272CBE87D6B22A97A45E50F4EBB,SHA256=6E4861A7E4DCF81EC3DE29F9A883F964EEDB310505376EBA11DFE0FB12C7E563,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:38.652{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C710B26B039EA94DE174CEFC1BD4D292,SHA256=29E849EE0A9C1BD86DD89C316DFBE2C9AED63D050DB757B4C8A6D9CB21321FA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.433{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21262-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.414{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21258-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.370{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21235-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.094{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20655-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.788{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.770{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20133-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.736{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.718{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.700{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20054-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.682{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20016-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19977-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.631{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19941-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.601{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19845-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.569{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19772-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19515-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.040{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19217-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:38.291{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80F17CC68878E08CF1A87529828D21D6,SHA256=C2D4A3012AECB409B70F595F7C8FB95CFE1DB00108CA4498B9B968306D17E925,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:36.337{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-40018-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:35.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-46706-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:35.628{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50054-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:35.211{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34310-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:34.899{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-40942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001424841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:36.007{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19181-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.989{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19151-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.972{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19143-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.939{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19125-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.836{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-18920-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.574{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-18767-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.455{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-18400-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:35.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-18158-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.886{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49776-false10.0.1.12-8000- 354300x80000000000000001424832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.865{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54372-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.828{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54255-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.806{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-54122-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:34.783{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.96-53986-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.826{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB422A65DBEC90DAD3CE99949DBF7CFA,SHA256=B184AF261AC676ACFB9AA9F2261795BCB6E7A43A1F5008AD0B0433C2A89C3410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.795{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8899335B9F277F05B1FB50800E21D91F,SHA256=1088470EA934674312D0FA00C8C38A438C654F24ADC864B54D7CA39B9017BD58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.959{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-22014-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.535{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21591-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.517{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21576-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.498{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:37.464{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-21291-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:39.322{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B9A8D4CC538BD7340CA20DDC3E0D92,SHA256=A7B83D7614787E9B40F43F1872788DDD97C9B35A134C493BCFE6AD4E5398B6CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.607{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:37.101{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-52869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:40.968{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7294592B1EC047665D67A8A29FBED2C4,SHA256=8AB1BAFD648377F7B58FDF35028BD4FF67546808075452D89C8C4F3DF845F422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.338{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4004176D7F1EE39350CB6FA5D48004C9,SHA256=D0048A8D5963846591A47649BC8D8AD42057F48B9D98EC5AD9D5681315EA142E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:40.953{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5932B97FCFC17BDD0659709576CBC170,SHA256=418C7A6790B50DD06BBC08EFF607D38024EEC81D5ACAC4D742F28917E69D5831,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:38.180{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:37.445{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-46111-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001424866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.151{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6E57DC1708E3BD1BB2CB82B2DA7EF0,SHA256=D3C2F6D1C261CF09EED8B41DBF6A821BFE7BF7BF444182601B6EBC37500860AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.151{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF74339D574FB8844B1EF1A0B6ED5569,SHA256=E320E9C90B6E1667EBB392B71E7AF92AA07FA492B74D45E4C5266C5BFAFFACB0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:39.902{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49777-false10.0.1.12-8000- 23542300x80000000000000001424868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.338{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A9F331DFC3E79945ADCED5898C4ABB,SHA256=FA7D87705B780DC7316DFF96255DEDFF900976856B844791A4ACA53DF62A05C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.725{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.725{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001519219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.273{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:38.638{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52366-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001424870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.370{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9767D613936DAFDA6D005EC8B985D0,SHA256=3D83D29FF2A1A79158B74A6DF0885EAE32532587853A2474EA585A07B22876CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.779{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5868-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.757{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-58606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:39.702{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse116.203.178.8static.8.178.203.116.clients.your-server.de55483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D82138B31AD59D194DE6A04DFF9C864E,SHA256=212897B883F401028DA37CA6ACDE4E090882CEDD62B15037E4C55171F8058397,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24B887B552683A240ABFF7D7C1BD8D7,SHA256=78D09CA2ABA2B28DC6813F3408C4148106FAF5631C823CCE4D9515A9DD0834BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19A7-6154-9900-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-19A7-6154-9900-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.776{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19A7-6154-9900-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.777{69CF5F33-19A7-6154-9900-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001424874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:43.385{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FD3B67A910A67C090BD3CEFA109406A,SHA256=C7BC21FD9EFD6AF1E1D8547D8FDB7C0ACE638B8212E34902F4E0E99161673D42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.462{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50055-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:40.867{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5837-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:40.383{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11727-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.164{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E458EFB1A91B63FBE2285520DB6DBB78,SHA256=A905B7BBA8EAF5C4EA50B9CB18EA8B5A3E5AD5F843B7AB150B95629657938FF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC6619524F9F9CB9BAC8DE667A81D4D,SHA256=75253304AADF7F33D6256C5ECFF3B57450CD9108F459CB1D31838AE94E5F4D8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.830{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-25848-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.756{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-25781-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.725{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-25495-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.917{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62128992E1866A625ECA32B6AFB130D4,SHA256=23CA22B55F66B03AD5CA3C3E8DADCB410BE494C1F7C4A76D415F08481214AC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.917{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6E57DC1708E3BD1BB2CB82B2DA7EF0,SHA256=D3C2F6D1C261CF09EED8B41DBF6A821BFE7BF7BF444182601B6EBC37500860AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19A8-6154-9B00-00000000FE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-19A8-6154-9B00-00000000FE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.776{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19A8-6154-9B00-00000000FE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.777{69CF5F33-19A8-6154-9B00-00000000FE01}1236C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001424913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.511{69CF5F33-19A8-6154-9A00-00000000FE01}33162524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.275{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.244{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77E2DE80AF5E1CC1727AA163C690FF16,SHA256=AA36F6209E281EE74AF12865560DEFAF736A30063F766DF1DD34D2906D95FC5E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.156{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-4651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.950{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-11689-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.509{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53189- 354300x80000000000000001519233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:41.480{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-17610-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.040{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EE04E77D13898B06379140CD1FE0BD,SHA256=175281A6371DC59F2A90012FF703F2C5ABC99E30FE1C99887CC61C55076980D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19A8-6154-9A00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-19A8-6154-9A00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.276{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19A8-6154-9A00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.277{69CF5F33-19A8-6154-9A00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001424899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:44.089{69CF5F33-19A7-6154-9900-00000000FE01}40403092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001424898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.565{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27560-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.499{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27468-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.259{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27211-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.899{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.725{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26501-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.505{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26345-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.238{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26294-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.098{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26276-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:41.005{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.920{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26008-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:40.860{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-25921-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001519244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-17633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.917{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-10123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.592{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-23681-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:42.236{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-5034-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:45.292{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48D701E5D6BF95B8BB498EF97DF08AFD,SHA256=1AC3FE56C9F5BBA07EBA5996430A64FA98A7C039D957A883DDA2B8301C9AFCE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:45.167{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7EE019399AA8BB9F2CE5CED57BD9C27,SHA256=C8C1B0228AA4E96DE7F8CC8182FC5C21BA4E844300201B9EF83EE4A22E735097,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001424944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19A9-6154-9C00-00000000FE01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001424934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-19A9-6154-9C00-00000000FE01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001424933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.276{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19A9-6154-9C00-00000000FE01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001424932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.277{69CF5F33-19A9-6154-9C00-00000000FE01}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001424931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.659{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27624-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001424930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.605{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27594-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001424929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.058{69CF5F33-19A8-6154-9B00-00000000FE01}12363384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.466{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=17479BB45F7536D4D33DE84D637E621B,SHA256=01B33E6E8A87DE741EE387672CD4199AE5FBC96EA97BBC6EDE0A22196F6DE980,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.107{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-23533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.685{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-29634-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.681{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50056-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001519246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:43.523{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-12020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.184{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=535B7C3667BBEE6A6DF94CBAC4DE1AF2,SHA256=9509E40DFDE1F3D4CC7D6D1C6D27FB7558D1A14635882008961C74FF372BC305,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:42.726{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27648-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:46.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9C7A3350E27BECD5E9F0519A2B8C176,SHA256=B842A7EBC3C8BBC807E5720DAE034581BC3DCB358657A22C449F7F752CA1B258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:46.058{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C3B2B607C68DB192BB21DD09B9DD9EFA,SHA256=3C162CD0E458B02D4C9CDB5BD97287F018D0FAA5F8A66D25DDA089A2E7064F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:47.545{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1C51679AA923318ED972DF94B906627,SHA256=365B71F8497282189E010F0EBEB453671D0C078CCA8B4B5D5D7466D1A42F2F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:45.200{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-29493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.801{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-35659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:44.773{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-19092-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:47.185{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29B2A0388246047D815A013AAD385EF,SHA256=D7C51EEE36AB0A46678982F2924CB21BA537173F6B0B737257CEF7FE3A043822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:47.089{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0DF5A94D34B56D859C2F5FFF7A2AAC2,SHA256=C3D45DBD82133AEC901F25A69FEE9B64F4F933EA79435FA94DCE4967E5386FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:48.625{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=79CEC2DEDC6B2E5A2A41AEA938141B7F,SHA256=17E50DA89D95AAD04A3B6CBE595652A4AD08007989A19D0E92DA956FBF281841,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.025{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-25924-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:45.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:45.754{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:48.296{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168FB6E3E58E4A95206120ECB7E2EB22,SHA256=D435D3E81D8293B28B4A9B6A64E3F10A804B26A142A1E8437C8CDF9DF829531B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.871{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49778-false10.0.1.12-8000- 354300x80000000000000001424950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:45.261{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-31168-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:48.105{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5924F514ED099C0FF30BFA98FF11A803,SHA256=0C2DDAE251C15EBF419263A4126AFB74B5DBFB41183C35C21A7AAB18E483A860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:49.136{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=188D09DBD06C081969CBC02ADB5F875B,SHA256=F6548823A4CECACE7D444551980977D72D4845DE4534D983F4945A630024028C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.752{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=147B17244DFABF4C583AA5CCADC4FEA5,SHA256=29EA635ACC9D6509AB594FF6374AC1C2F804D21ABFCBD9927C330DE302C01E34,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.967{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-47555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.571{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50057-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:46.310{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.298{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1737658CBBB3F88797CED41A22AEB1E8,SHA256=34149133293CE1136DCBE05719990ADF6BCB2929C06A4B85DA07EF2EBE02C657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:50.831{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=191293B6743B96F544314C9F876393D2,SHA256=9E181ED9A84038688831AEB5035895ABA3FA66A197386B2E6D008883E70FBE1F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:47.388{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-41524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:47.286{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:50.299{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7842299F0A62600FC6A0A355BA5C4F97,SHA256=FF0A4AB21094D88A0413DF6B97CB591F8095DF7CD12937E432062F7F18DE3F17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:50.434{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDB85DCCBCEE76EF819734B255F48FFD,SHA256=D630C85B70B6A93BAE0DDC2C2CCAF915F79A75422B4A97750F4FFEF280E148C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:50.199{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E4BA7B85EF8523FBF8806DBA56049F5,SHA256=FE42885EFF02F2CF91F75989A7EA854C76F7C4283178281748421F556CFA254F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.911{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D461C7845B82B9D6B319DD98ED3FE3BD,SHA256=EA449210F88DA0833C830A7E48777D3E5AF5BBE9C41001E489E96828391223BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.814{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-19516-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.790{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-46552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.561{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-52932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:49.169{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1954-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:48.539{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:48.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-47277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:48.060{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54122-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.300{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABCD70BA32B5614172C830CB2A291CAD,SHA256=B8EA1E00ED65BE1D5A72E0B24F377EC80C108620566EE517B784A14DDD8EEBC3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:51.887{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000001424969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:51.887{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000001424968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.887{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.887{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.887{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001424965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000001424964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000001424963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000001424962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000001424961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000001424960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000001424959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x00006555) 13241300x80000000000000001424958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:51.871{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x00006554) 13241300x80000000000000001424957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:51.840{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001424956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.840{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.215{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CB53A97961B8050E7C9CA8026BECD81,SHA256=CB4C12F7A45CC579AE6753D692171EE79F59D048FA6EBEF5E2F3BD27388B28BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.788{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-003MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:50.685{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-59038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:50.248{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8990-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.308{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AE33253D381610116CC43E3E3EAF1DC,SHA256=D3F80F453F0B1D55190B71BB3F92B89FE583FBE2B4D74A33FD05ED2E1C3CD420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:52.887{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CBAE6C1CC4DEE7EBB6D201F559BD8681,SHA256=991CD6702E19FB4BD5B0F10AE87BB433FCC7C040FB4DF15EAD513D16013F0DA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:52.887{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D025A6B956EEC9ACC7C564303543A031,SHA256=BC840EF27BE4D9DE620B32E4C9C715275AAED67EF7FFC1E8A190173916665977,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:50.819{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-38055-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:52.246{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B3885524C0AE71E588A5ACC86C686D1,SHA256=B47C8C40F73319799FF7B00823C682E394274C28BAC3BDC677A3AE0FD0397AD4,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001424980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000001424979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List25942 25948 25958 25968 25988 26032 26042 26080 26086 26102 13241300x80000000000000001424978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x00006557) 13241300x80000000000000001424977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x00006556) 13241300x80000000000000001424976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x000065fd) 13241300x80000000000000001424975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x000065fc) 13241300x80000000000000001424974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000065fd) 13241300x80000000000000001424973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:52.059{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000065fc) 23542300x80000000000000001424972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:52.043{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=9ABBDD19649DE87A9267DFBD8E86CD54,SHA256=91E0C1CF2E088BE34332313E71628CD704740FE518D3D7C0B0A32CEB60805C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:52.028{69CF5F33-198A-6154-9500-00000000FE01}2636NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=9ABBDD19649DE87A9267DFBD8E86CD54,SHA256=91E0C1CF2E088BE34332313E71628CD704740FE518D3D7C0B0A32CEB60805C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.803{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-004MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.058{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-21632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.771{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-5864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.618{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50058-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.328{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-16415-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:51.039{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-53380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.317{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49873C359614AACB02758F54C334E66,SHA256=FE7448BE37ECDBB3AD81AE682FEBB306F1731015D2EB13000401FEB2AF86D527,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001424987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:45:53.575{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x07c8d9a0) 23542300x80000000000000001424986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:53.309{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDF6E2132A8E235E802555A38BB8239,SHA256=29665F593899823EE232E4615B226C82277FA01D8E6C02502C6CD27DBD03CC64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.004{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=63B406EF0CDFD6B486B3EF9D193A67A0,SHA256=7C65AE36D59A783B8021DC0773B6F9B033A3E0BBD3A5971976C6E79401BF1B78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:53.231{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5B522B78C0BD43ED54EE9520DC6D8E85,SHA256=DE9A9D63649AD6A65F9F9FE456CB64C3ABE86690F396D56AC09D7E8CB5F101E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.024{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-12556-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.433{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-24221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.426{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-1740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:52.082{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-21810-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.338{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26DD276FACF6D30F7386F506C25E7C45,SHA256=5A7339D244D1AD30CB8E1A0684991DACC05B092122815702B123DEA4C2C1A33A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:51.870{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49779-false10.0.1.12-8000- 23542300x80000000000000001424988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:54.325{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E457E68794DCE2D5F87CB51D12086CCB,SHA256=DF1C2588464973C953A59615E57475CCFFC065CDE3DCC8A3DBFA8314BFBC7634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.128{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7CD2315F7C9960315570A69D5A932BCE,SHA256=EB2B715BCA42A8B6D1A807DBD34734A7817F8410BAFF62FA267DA1DBFCB4364F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.675{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-8257-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.570{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-32307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:53.169{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-29763-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.339{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07BEDDCB5D70EA2A0B178BDB20649178,SHA256=544CAE454D29E7F410C54B83FD69B00B2F1FC80FC372E53F1C32BBD96CBFA05A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:55.902{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9433620F0D8F158C8DE41693FE33A906,SHA256=C0FB632E7561A16844A8D1A75089A1F0B1329C689CCE5C382CD657905E664E9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:53.374{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-41404-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:55.387{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BCEA6B5F3755053038613F429527B82,SHA256=012756E77ABDAB7C7D9695866E8CC0B1D3F91F12663C284A5BD6A394C8332E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.292{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AD19015232FB9710A161C564E092101,SHA256=B2300E958A2A98CB6B0F36029D249DFCB9CFDD786DEC82CE45126BBA43943E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001424993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:56.402{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E89F4A597346DFB10CE7764E7896661,SHA256=48A93D0858679D7243B8C6D21AA5FA4D057A5AEB36F5B3C0E2021B9FFEEA835C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-41202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25361-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.250{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-38084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:54.140{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-18860-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.450{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F538F4BB68F430927DDF15AE62889F5,SHA256=5078A52D773BB86FF8C499D15371B93E32D8D582892A6BB868A189CA1F061318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.434{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D687212B6A9091B6F28638D281F6C57,SHA256=B2288E7D93B7EE448CE7280B12160252D38F47DFEB34D98FB0882BA78545B9DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001424995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:55.894{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-45255-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001424994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:57.433{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=392599AAB0E4A23B6CA51E3A64F006A2,SHA256=4F88A2464D16578D2C001AE1F50DDC03E883CB7993ECDEF5CD5D50DF59A9C5C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.234{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-24796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.025{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-15249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.529{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A7566A8DF4B7163CFE89948E71F2D4B,SHA256=FDCE7C7856FC866425BAEF5F428C3F9B5ABC6A65A9F6F7ED0F1D435D6EBFF8BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.435{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80D7EA9E6143EC739D6FF26826BF9480,SHA256=31607437A3D866F1C63A9EE4D25EF5FC574FC5D31D37346027012B96AB84F6B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.140{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.127{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.104{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34672-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.078{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58229-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58207-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.068{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34498-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.032{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34283-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-58099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.994{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-34169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.985{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57936-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.976{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.972{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33945-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.962{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57580-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.935{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.926{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57361-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.913{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33712-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.891{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.888{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-57085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.868{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.835{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.825{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.813{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-33146-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.791{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32978-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.784{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56483-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.762{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.753{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-56125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.731{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.715{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.695{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.690{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55821-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.666{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.643{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55540-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.621{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.613{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.598{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-55113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.591{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-32009-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.569{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31875-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.559{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54905-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31757-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.523{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54428-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.501{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31513-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.479{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31406-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.476{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54239-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.456{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-31174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.453{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-54081-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.417{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.381{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.359{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.335{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-30399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:56.276{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-22341-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.859{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-49653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:55.342{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-45864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19B6-6154-B500-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-19B6-6154-B500-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19B6-6154-B500-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.609{5EBD8912-19B6-6154-B500-00000000FE01}3300C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001519312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.437{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769E447743FE44E67987895B47F67AA3,SHA256=D8E05FC1875EF34ABA683B15924DC46CF7D1B36A5BDBF748BD24BEDE79D5A79D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:56.948{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49780-false10.0.1.12-8000- 23542300x80000000000000001425009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:58.464{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD320F02E89AD092EC5C2622982F034,SHA256=AA3BC52374A74F6BD5C5F4D04D1200AC8E50213303B5C712767CF42335B0830C,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000001425007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000001425006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000001425005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001425004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000001425003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001425002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000001425001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001425000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000001424999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000001424998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000001424997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000001424996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:45:58.105{69CF5F33-198A-6154-9500-00000000FE01}2636\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 354300x80000000000000001519472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.181{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7594-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.163{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.158{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7410-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.119{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30870-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.111{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32402-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.105{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.088{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6911-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.080{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6845-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.071{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.053{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.045{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30553-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.042{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.032{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31923-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6507-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.021{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30458-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6530-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.996{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6266-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.992{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.974{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.971{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6206-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.955{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30184-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.954{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31600-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.947{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-6036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.925{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.921{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5828-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.899{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5553-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5387-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.876{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-31230-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.876{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-5032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.828{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.798{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.766{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4426-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.736{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4371-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.721{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.712{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-30243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.691{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-4155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.674{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3968-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3983-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.639{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3794-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.637{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.634{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3481-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.614{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3561-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.590{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3276-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.580{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.557{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-29492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.553{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3124-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.551{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-3087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.530{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.526{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2776-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.507{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.490{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2602-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.464{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50059-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.463{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2389-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.438{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2193-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.436{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2188-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.426{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36423-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.414{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2030-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.413{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-2025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.403{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-36197-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.390{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1879-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.366{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1685-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.341{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1503-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-1282-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.298{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.33-35249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.295{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59944-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.286{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.256{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59769-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.234{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59425-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:57.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-59149-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.845{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E601C8B9D5EB439B26848E104914D527,SHA256=87BEEB305F8219117EAB069848AF4B55280567A49056076C8E89CEB82700587D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.829{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7BD77D72006D447F5D85BE24F5DEAF4E,SHA256=081E7E4C94701F14837A5C92E88D9DD3055F0AFD3F62308E1CF3B693A5963BAB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.751{5EBD8912-19B7-6154-B600-00000000FE01}51004900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19B7-6154-B600-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-19B7-6154-B600-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.485{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19B7-6154-B600-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.486{5EBD8912-19B7-6154-B600-00000000FE01}5100C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:45:59.480{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B514F280F5A3654B125523378BFB09F7,SHA256=2BBBDA0AE7DFA7953B13FF7EE1F90E9F1AB57000A5DCDAD152A67412A304E943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.987{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BEC2403A4F8C9BFCAC38B42BC4A4C3B,SHA256=A7826CADD2144F643C9639C83EFF4C53C64003501DF3FBED3D1524C455451818,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001519481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:00.893{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x0c257e9d) 23542300x80000000000000001425013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:00.699{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60E34A8602871CB51616FDFE71D1BF81,SHA256=D9A68266AE6F03BEB8494987896A9AA004A1EAF6360713BA6A7B4A5CBD03EE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:00.495{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC5C5102E304991A2EFA13F618FB64CA,SHA256=DB4F8346EFE760F399DA9388F58C95B54D59705BF50D7B9C6F61D4262F2EB1B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19B8-6154-B700-00000000FE01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19B8-6154-B700-00000000FE01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.392{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19B8-6154-B700-00000000FE01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.393{5EBD8912-19B8-6154-B700-00000000FE01}5680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001519508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.936{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3A9DE33FB7A4FC7E77C6174605372D8,SHA256=BFBC14021BCEFB622444E4F556799C35A4136743D2CFF39FAE8A11A3383938D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:01.511{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=961461C09621E2FFFF28C0320E7CD77C,SHA256=CB3520D67974FDD3D54B72DBE005FBE5D8A30EB8DB6D6BA8EBBA04F27C57EAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.425{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48EC34243B27DC090D94FE5421C7678C,SHA256=AAF797B5C95D7BD3667347156C1442C6AABA27E9D6FAD1AEA6129FB1035AD4E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.605{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50060-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001519505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.605{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50060-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001519504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.593{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.577{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10213-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.551{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.512{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.470{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.463{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9410-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.441{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.431{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-34338-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.418{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-9032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.394{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.371{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8633-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-33819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.336{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8505-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.314{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.290{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8165-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.274{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-33281-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-8030-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.253{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.242{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7885-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.219{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-7719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.190{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-32842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:02.526{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C66913D0CDB39D1471A095671B07368,SHA256=EB6C2B38681A3E3E5A1A804DC14B6BD97D0124083EC1CD9F8F3AFE9C00A74BB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.577{5EBD8912-19BA-6154-B800-00000000FE01}20804292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19BA-6154-B800-00000000FE01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19BA-6154-B800-00000000FE01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19BA-6154-B800-00000000FE01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.312{5EBD8912-19BA-6154-B800-00000000FE01}2080C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001519532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43609-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.058{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-43096-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.976{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-42642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.896{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-42221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.815{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.735{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-41336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.655{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-40962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-40319-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39995-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.395{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.316{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-39177-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.236{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-38743-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.155{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-38281-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:59.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-37768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.999{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-37300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.920{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.841{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-36443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.762{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-35991-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.710{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31634-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-11058-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.685{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-35349-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.663{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.639{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10751-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:45:58.613{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.41.27-10471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.969{5EBD8912-19BB-6154-BA00-00000000FE01}61245996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19BB-6154-BA00-00000000FE01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19BB-6154-BA00-00000000FE01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19BB-6154-BA00-00000000FE01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.766{5EBD8912-19BB-6154-BA00-00000000FE01}6124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001519591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.328{5EBD8912-19BB-6154-B900-00000000FE01}41005876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.312{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A5A901E60AB1013C168A245EB8D0C99,SHA256=CCEC68D4CEC52E100B555DADF0C7472EA89C885A06E5935F6CE465F2C5A0D60E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19BB-6154-B900-00000000FE01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51309055725C6695A2E8A76585E77BE3,SHA256=BE03A8B29F4B554B1BC4708BC0833D4CB679C7E641ADD1FD2BEFB78D37D0E6D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001425019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:01.964{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49781-false10.0.1.12-8000- 354300x80000000000000001425018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:01.293{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51666-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:03.667{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9755227BFB2013EAE3A10CCBB5100643,SHA256=EE5D9F8E634218092DCEC693FAA5EB54608BA6B50995D69A1FBF7FBB1F0539D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:03.542{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEAFB94D9D5E6423200784770044346,SHA256=1AD11AA937FF8DCCD4A42C0EADC81FA655847D75392BED4BD67C5C8FAC88842B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19BB-6154-B900-00000000FE01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.094{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19BB-6154-B900-00000000FE01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.097{5EBD8912-19BB-6154-B900-00000000FE01}4100C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001519580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.228{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.196{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33913-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.177{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33892-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.145{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33891-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.112{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33890-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.094{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.060{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33881-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33879-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.022{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.003{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33873-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33865-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.940{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33863-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.922{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33859-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.900{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.879{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33850-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33844-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.816{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33838-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.798{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.768{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.749{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.732{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33814-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.699{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33806-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.680{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33801-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.662{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.644{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33789-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.626{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.608{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.590{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33770-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.540{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.522{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.504{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.465{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33739-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.416{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.372{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44105-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.324{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33544-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.229{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-32593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.216{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-44025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:00.147{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-32171-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:04.558{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316A12568CD17600129471F112005C69,SHA256=CB08589145F7F152BFA81ABBB34293230C763E3EF9A16662E725024E9B73E401,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:04.798{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E81C4F423D645F40E6FAED11F4BDC0,SHA256=7E36D161BB0AA5688D92AF78C741E92A49FC6E9D926557FF5884F055D72F0D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:04.469{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50CC5713145367E2AA1442B17168B3,SHA256=972FF650DE6F88DC5E1B710EE1C1022F0BE9D930BF2947FACE6283AE0D54A926,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.384{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-55444-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.306{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36488-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-54461-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.167{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-54202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.090{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-53745-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.040{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36270-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.010{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-53249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-52665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.909{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36216-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.852{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-52113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36169-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.817{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.785{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.773{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-51654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.750{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.732{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.713{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.693{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35598-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.692{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-51220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.675{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35448-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.657{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35250-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.623{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.589{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34833-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.558{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.539{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34523-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.509{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34477-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.491{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.473{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.441{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.424{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34284-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.406{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.387{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.369{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34084-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.299{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.281{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33964-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:01.247{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33947-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:04.064{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55349-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:05.573{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06FC6903201384C97BBA2C7FBC18E5AF,SHA256=B0BEC9F175FADD4E5783E347F6F7FE49A42EA44E2D32E152E6269CC45434397D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.188{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D39BB565649ED31ED8C09D41BC48849,SHA256=C8D87277B62735FC6A4C46376D4590D98427099BE2530CC965F73B8AC9BA01E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.306{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38242-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.174{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38209-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.105{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-59258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.089{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.021{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58835-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.012{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-37453-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.942{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58412-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.863{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-58022-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.796{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-37198-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-57641-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.703{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-57238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.622{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.581{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.543{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-56383-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.476{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50061-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:02.463{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse87.251.64.140-55888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001519648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19BD-6154-BB00-00000000FE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19BD-6154-BB00-00000000FE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.110{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19BD-6154-BB00-00000000FE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001519641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:05.111{5EBD8912-19BD-6154-BB00-00000000FE01}5552C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:06.651{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0B001E336608046878D2D4888A8F3F,SHA256=8B3B3D108DB50E57DA88D02699FAE64E05739B263D2C04FB6E28693CE6A78B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:06.189{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=441C0E53CBB75C269BDC6159A92CFA2A,SHA256=6009FD1AAE8BACA8D2AFA310C6FB1BCB2595DD10A514FABC0EF325E92C1FAAAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:04.048{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:04.003{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38492-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.896{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.731{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:03.521{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-38275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:06.127{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=36EE84C7719CD2E115824927B0893013,SHA256=6595A587227464185EF5C69A052097A47854942B992A188DC7E5413981092A0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:07.682{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B946BDF30BD362C1CCCA002BAFD44439,SHA256=F5BAA5CB1F385B94F3A044AEBA5E24B17DB92392BF089EB012752EFF3F7ABF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:07.315{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=556F5564E1DDC24053C1844B4A9DC673,SHA256=C9CF7F2F315DA92023F502745F8D7AFAB1AF8720EAD58E395DF4FC341B2E581F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:07.260{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EF201220635145E98C7AFA42470F6BE4,SHA256=75C425B12D511736AE9BFB6680BC8D2DC572A2F13A4C39563DE6739DBB7FED67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:08.315{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD49887F9D8AF81ECF3CF09F265D77B2,SHA256=F6ACD4F36CC72B446A2C4D73CBC216DC23D956276A8ACB45A7A3AEC10690EB86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:08.682{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8538C63357F5B822852AC90001D3EE47,SHA256=DDE45D772F6A0C8CFCA6B95FCE3CE99BE981B8E1619BB1E648EAAC138A4F9879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:08.253{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2BD54D7BC030D50018BC815DD90DD18,SHA256=2D6288FA7E5A02BF8C136E9B1269025C4BA0C2B71EDE5E8BBAB347ED8D373B4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:09.363{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD0EA49C3C79DC6CA74A1B22E9ED8FA,SHA256=63567C07F6518A7E112862F3A6522F0728B112ECDFED6F442C1E4956D25C0D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:09.713{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC95272AB85CB32B3447A671E41955EA,SHA256=D0F964C4986F4C417E6A632E16CFFBADFC4CC533B16737E057AAFF243301097A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:09.448{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47D6E33A485D99845AE4D4C4566CC5A3,SHA256=0A27F7D3C3BA45B879F2207078BAF33C125E5C6DC6A0C671C43D265F1B002004,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:07.325{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59007-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:06.981{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49782-false10.0.1.12-8000- 23542300x80000000000000001425031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:10.807{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD148FD54D7AF6F14673D83A3F711E1,SHA256=9A0495BFA0E7A768091DD50D1F7AF6DD7684AC1DEDA404360E7CA4F7A6109B7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:07.719{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-44275-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:07.491{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50062-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:10.379{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0801445CBB0CA30B885A916BA2440CEC,SHA256=FF6B2A00C5EE065A64FEF2C4E6966F431B9748BEA309BB7E033A506BAEE5AFF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:11.838{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68EA11BF2A44A194D33BB17D8D55BF38,SHA256=9997B9BBB90335A6A44EFE1A644CD91FF93C6109EE8312E60999990A796FA33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:11.838{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF140316ACAF2F53CE166FF6F9CE6CED,SHA256=F37C7D4A5947FA135B4337BD3C0C1DFB5264B9C388EFF322012B8D61DFC51230,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:11.380{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3EA175989962E19ACDE19918823CD49,SHA256=0ED05E5EBB128902CD3ED109B06248297932DB89857D2393AB3A7348E42244A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:12.885{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EDE73BE116C7B344400621EF1D1C0CB,SHA256=00451DDBB34E1861FA4DC400A628C4692E8D0C909B686FEAA0395C18D6C0582E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:12.427{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=280F9F85CBB3CB5E3429F94853ABBB6D,SHA256=42B4144780F4ADFB8B1EE3CF862CD43C3187557627DD6DB3CC3CFD8DFB26D13C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:12.380{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF5D6DF224DDF7343BCD2FB50349B99,SHA256=474D2789AA8455D637CDEBC4C9C584BF2F56490E27AD5E4DF8D6C2C2D925B202,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:09.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3663-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:13.916{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F1AD20F4D338EA509FE29B042E1D31,SHA256=5366A9D76FF813B71748517C322B48F5817A194B2661B7FC9DCE0C03DCF7FA1A,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001519708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 13241300x80000000000000001519707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List26852 26858 26868 26878 26898 26942 26952 26990 26996 27012 13241300x80000000000000001519706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First HelpDWORD (0x000068e5) 13241300x80000000000000001519705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First CounterDWORD (0x000068e4) 13241300x80000000000000001519704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last HelpDWORD (0x0000698b) 13241300x80000000000000001519703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last CounterDWORD (0x0000698a) 13241300x80000000000000001519702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x0000698b) 13241300x80000000000000001519701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x0000698a) 23542300x80000000000000001519700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.459{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.TMPMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.428{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\PerfStringBackup.INIMD5=B789ED3F1E4F8004A62A5E04013A257F,SHA256=6409D10C807D556D130DDE4042F03F3A06CD8F72D01D385716167D16171DBF7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.397{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8261BAC3B23450AA3A4029E59CCB9B77,SHA256=8E7A8B9366AFE116C74E1505E3054265CE9500065B64F18E917D6094502AA695,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001519697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 13241300x80000000000000001519696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\PerfIniFileWmiApRpl.ini 23542300x80000000000000001519695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\WmiApRpl.hMD5=B133A676D139032A27DE3D9619E70091,SHA256=AE2B6236D3EEB4822835714AE9444E5DCD21BC60F7A909F2962C43BC743C7B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\INF\WmiApRpl\0009\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001519692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Updating 12241200x80000000000000001519691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Object List 12241200x80000000000000001519690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Help 12241200x80000000000000001519689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Help 12241200x80000000000000001519688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\Last Counter 12241200x80000000000000001519687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\System\CurrentControlSet\Services\WmiApRpl\Performance\First Counter 13241300x80000000000000001519686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last HelpDWORD (0x000068e3) 13241300x80000000000000001519685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.287{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\Last CounterDWORD (0x000068e2) 13241300x80000000000000001519684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:13.256{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\UpdatingWmiApRpl 23542300x80000000000000001519683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.256{5EBD8912-199D-6154-B400-00000000FE01}4848NT AUTHORITY\SYSTEM\\?\C:\Windows\system32\wbem\WMIADAP.EXEC:\Windows\System32\wbem\Performance\WmiApRpl.iniMD5=FFDEEA82BA4A5A65585103DD2A922DFE,SHA256=C20B11DFF802AA472265F4E9F330244EC4ACA81B0009F6EFCB2CF8A36086F390,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:14.932{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943AD82B0D027C972CFD02AF83AC4CC6,SHA256=B18DC6FD9E5B6D3D0C787584DD82AC349F7A4117FC951E80D3AE2F4F1FA2256B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.429{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D976A7BC5D1705F22A4314552E52073,SHA256=13DA640A6420DAA0E8855B8EC1F81F31FA8714D1161783F0848D6FDA81519AAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:14.369{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:14.323{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EE6303FF7123DEB33EECC9D49D4A0754,SHA256=4CA8DD6625ED6AEB6FFDE094FBCF749BD87DE91EC5399F62F6AE006ED18C7B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:11.888{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-6688-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001519714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:12.491{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50063-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:12.381{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1705-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:12.357{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-1421-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15F74536B8F1DC74288A98307A8EC8DC,SHA256=04377A3910CD5D8D5827BDE04A511F4D722AEC3844ACCDFCB26B288C5A993C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=F28CAB8566B7A410531731A4A71CCBBF,SHA256=6FEF4239109709DA38C465EFCBDCF5487469333D411DDDBFF1D077DDB8EDF751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8387DEBE877CD479EA1AB9BAF4756387,SHA256=DABEAFCD9A66943F884FCF2AFC06EC74F45BDC70A6066779D339CBF22208C806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:15.948{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39C690768006BD0EC8B0A09199A24F6A,SHA256=DD148CC4C91AF50F78A88C9CCFC732895744B13E79C11D77A4F578D852CBDBB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.851{5EBD8912-18A9-6154-0B00-00000000FE01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Users\Administrator\AppData\Local\Microsoft\Vault\UserProfileRoaming\Latest.datMD5=93B885ADFE0DA089CDF634904FD59F71,SHA256=6E340B9CFFB37A989CA544E6BB780A2C78901D3FB33738768511A30617AFA01D,IMPHASH=00000000000000000000000000000000falsefalse - shredded file with pattern 0x00 23542300x80000000000000001519746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=77039833A773FFA1E02945E3444B28E8,SHA256=37E283454E7E258A39683B47E7E87FB74B227ED1FFB37FC88F0C1515A94AD19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=58818532F5F98E9ACB87BB3E5747B528,SHA256=ABE18DFC75A4316FCD88EE5785BE4D10DB11B267C51BEFA94A39B5A58BA073D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=382B522DA80B14FC699F8C2C98668370,SHA256=C60EA71A8C02240EE3BF46DC0874EE1DDC2F81AFBFCFE072C54B3990567B48B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:15.604{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ECCF016C9D6351A03C154E9EB2A93F8,SHA256=64A5D072D9EA7ADEAF8CA46E3C81AFFD2F300857358D6DF29A00170FF199E522,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:12.979{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49783-false10.0.1.12-8000- 354300x80000000000000001519743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.647{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.625{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6707-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.568{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6613-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.565{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51405-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.547{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.529{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6419-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.511{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51366-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.501{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6276-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.465{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-6192-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.358{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.323{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50972-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.304{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50918-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.285{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50848-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.252{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50625-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.173{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50534-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.155{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50515-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50459-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.119{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50412-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.101{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50328-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.068{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50291-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.020{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-49862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 734700x80000000000000001519716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.242{5EBD8912-194E-6154-9900-00000000FE01}4288C:\Windows\System32\svchost.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001425045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:16.979{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC0A75F97360D839351A8B40F7A84FA,SHA256=C28A23F9717A6FB69A8A7E2F21F108D264932437D9E6D5ABFF5A8F414E9C67D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.899{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91FDA39CB64E639E64E7782E21BC0645,SHA256=89E8A9A9B919B4BE355507DA901AB43211046505BBB3F2EB4AF5A6D916920287,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001519788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:16.899{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x15afd04d) 354300x80000000000000001425044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:14.151{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49784-false10.0.1.12-8089- 23542300x80000000000000001519787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.680{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4FBBA9BD54E03DEE89E4C126F931DE4,SHA256=534D30829F1FB2DDC9E7CCB453735E42FFAF7BF166572A5BD37E043ACCBCD8D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.734{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11681-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.709{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11535-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.682{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.644{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11257-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.621{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11162-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.598{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.553{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10816-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.530{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10708-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.505{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.480{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10477-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.457{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10377-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10224-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.400{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.376{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-10033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9732-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.323{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9652-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.263{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.238{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9445-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.201{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.178{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.156{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9211-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-9119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.111{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.073{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8856-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.050{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8407-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.946{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.924{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.902{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-8119-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.880{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7963-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.843{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.805{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.783{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.748{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7466-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.726{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.691{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:13.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-7070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.980{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A0C1C63F27541CB0896518CB6ED48B,SHA256=3D0E20A6EC54357B201E613ED8D7C86ED32E05108F2F6CA5FD9E232E8C286D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.915{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C1D04DF70F560D6FF03ADE0DA750447,SHA256=0420EB3283D99B9754DE8D4FA5546AE9C68B94B7443813314673121E681E78EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.791{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76987306A49C7887BB8B0D1DFCCB740C,SHA256=0D7D132A5F5175C465D6628A79EAE1F85C3D329354AAA4ADDB0F5F656CBDDC46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:15.692{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-11313-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6DEA95E26B0CEDAD7DCF0272200B4A4,SHA256=5A67175D73150D93A1190B9E13EA3016C347832801E283D47B894BEE9472CC2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.038{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13136-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:15.016{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-13025-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.994{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.972{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12757-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.934{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12639-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.907{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12467-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.870{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12299-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.836{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-12102-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.800{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11999-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:14.774{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.105-11809-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:18.916{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AB59F0600938C63CACCA9A47B16307F,SHA256=1DE42F70260C3BEE72B9DB1888D7EE5101AE623D94123286A3B21344F8915B33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:16.292{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-12258-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:19.932{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE4557CCB1395934290B23A3C5F35200,SHA256=49A5AF3F74ADEC7041F1C1CBD7C4944DDB440E49DAB939389A683EF1C2F029B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.600{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50064-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.461{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.206{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.947{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.788{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56768-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.680{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56738-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.637{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.616{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.598{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.579{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56619-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.508{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56273-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.483{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56010-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-55665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.367{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-55246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:16.275{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-55146-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.855{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49787-false169.254.169.254-80http 354300x80000000000000001425052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.795{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49786-false169.254.169.254-80http 354300x80000000000000001425051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.794{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49785-false169.254.169.254-80http 23542300x80000000000000001425050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:19.007{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEFAB48F288B86753B60ABACEB5C7F7,SHA256=04850B04139EC6BFECCC4A518EAA0728BA34E6402971BE1239EE1E2DF709D06B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.948{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFD0FA70DD7FAB7A80A74ABF6860C8B,SHA256=D61DDCD9F4511CDB3AA580BE9EEE414E81E42A79CBCDB1F48A44C40E34A944DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:17.973{69CF5F33-189D-6154-3B00-00000000FE01}2932C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49788-false169.254.169.254-80http 23542300x80000000000000001425054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:20.023{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A5F1F0414B96D95098007FBFFBA837C,SHA256=CF808B058E3C3A6952C8B45367EE3EB10EE53A4877EABA1BF01CB732B4B5AE83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:17.622{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-57054-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.354{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33B7C0645778A07B3492AB642FD0EBA2,SHA256=A40BFE97CB259B2511A1B3D3D3851E52FB5CBFB60485701E20C6DB7B070120F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:21.953{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5D2BCA0C44F0D0AC02161EEEF034EA5,SHA256=AFE275C1A0F88E1431F2B5CBC0F1D6A77CE0B2ADE27616AEF8BFFC6B01431269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:21.382{69CF5F33-1899-6154-0D00-00000000FE01}792812C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:21.382{69CF5F33-1899-6154-0D00-00000000FE01}792812C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001425058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:18.992{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49789-false10.0.1.12-8000- 354300x80000000000000001425057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:18.929{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-15600-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:21.054{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46CBE409C74A646C5EC68B4E65716AD9,SHA256=6116E42DF2B4364D8221A85A47E0B8F94880323117085A56F85F7BC0DE6EFE2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.953{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADB8FCFEBBE458B46B1AA084BBF88FB7,SHA256=644D66ED28B19A5B315F0D53C14BE2BE136FEA267A1E38BF933607623D2A4C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.953{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4026BB291C426FE1B4089C5B19D14A2E,SHA256=C89CB80C54A53D20882C11F5E92AEB8F824E1553F4C48D8E5F86F0AE19953C5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:22.054{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC1E42A3EBC67F409F27E5976A52ACBF,SHA256=7E59D7E6727FCA783507734DB6896C7A069BE7F251B4CC0C85611C56938B806D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.413{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.340{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.297{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1884-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.272{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.243{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1719-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.211{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:20.192{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1514-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001519836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshedDWORD (0x00000001) 13241300x80000000000000001519835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance RefreshDWORD (0x00000000) 13241300x80000000000000001519834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ena.sys[NdisMofResource]LowDateTime:-575650048,HighDateTime:30874337***Binary mof compiled successfully 13241300x80000000000000001519833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\intelppm.sys.mui[PROCESSORWMI]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001519832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\intelppm.sys[PROCESSORWMI]LowDateTime:-2024749675,HighDateTime:30736945***Binary mof compiled successfully 13241300x80000000000000001519831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\mssmbios.sys.mui[MofResource]LowDateTime:-592857982,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001519830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\mssmbios.sys[MofResource]LowDateTime:2077700573,HighDateTime:30531428***Binary mof compiled successfully 13241300x80000000000000001519829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\en-US\ACPI.sys.mui[ACPIMOFResource]LowDateTime:-592701735,HighDateTime:30543079***Binary mof compiled successfully 13241300x80000000000000001519828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\System32\drivers\ACPI.sys[ACPIMOFResource]LowDateTime:-1594147734,HighDateTime:30671341***Binary mof compiled successfully 13241300x80000000000000001519827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\en-US\kernelbase.dll.mui[MofResourceName]LowDateTime:-1711938829,HighDateTime:30871737***Binary mof compiled successfully 13241300x80000000000000001519826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE\C:\Windows\system32\kernelbase.dll[MofResourceName]LowDateTime:1488817152,HighDateTime:30878798***Binary mof compiled successfully 12241200x80000000000000001519825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashDeleteKey2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\WDM\DREDGE 13241300x80000000000000001519824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localSuspicious,ImageBeginWithBackslashSetValue2021-09-29 07:46:22.344{5EBD8912-199D-6154-B400-00000000FE01}4848\\?\C:\Windows\system32\wbem\WMIADAP.EXEHKLM\SOFTWARE\Microsoft\Wbem\PROVIDERS\Performance\Performance DataBinary Data 23542300x80000000000000001519846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.954{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11ED91FA2C517B592B41D6876C7EFFF8,SHA256=83EF34605B660EB5D8577D8659DBF6E25FBEB78B5E7DC506C0258E1798BAD497,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425065Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:23.885{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-004MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425064Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:23.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A894986F5F8959E5A7A4E2E0B99516D,SHA256=A9FE1DF432115D8371CAC52F3F836C8169C5DD79D87B75556296179998FF6480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:23.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6B9300DFA2F6E9811A2B15309607BF1,SHA256=4C2780BB8E6A02F80DD78A59EA9E7283A850ABBDC4C279B495CA28BDB5164B81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:23.086{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BBDA04EF14A74F0DDE2411FECE02C12,SHA256=F0A95CEAB0B655522DBB6F57BB960A62A2D163F7FB562A8A97DBA9CCBB080752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:24.955{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D7D142D714473E156FEDCD12D495FFD,SHA256=662D7C922FAA7EFCD23C7E45B0D199B2E155165E0DBF46A23DE93EA884662A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425067Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:24.899{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425066Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:24.164{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4BF3948370B7E59E76E634676B110B,SHA256=3FB00A4C3D4EE0BC07D014CD8701B09667B6BBA9DDE2E34FC87F53953061E82B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.652{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5122-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.570{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5060-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:25.955{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AACC8543582D995F2FC35CCEB209D358,SHA256=9BB6F8AEDAF154A4B66F51A536C185DD7B12FFE867D6237EB50472DB0FF66EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425068Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:25.166{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E031047F3D9463D87812010876C0C3,SHA256=167153F59A5DF420BE53C09DCDD8E46D4294A986869B3F2484D670217505CF47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.956{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.912{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6019-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.863{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5742-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.818{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.795{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.775{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5547-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:22.720{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-5351-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7204C5FF4F7F112C81CA5563E56256BF,SHA256=D9AE4ADD5989A6F3D561BB7DC88BE5880EE802B96A0A345756AA7A73A2D4E99E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425071Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:24.948{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49790-false10.0.1.12-8000- 354300x80000000000000001425070Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:24.807{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23096-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425069Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:26.169{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB24AA784C12FFA538BA637E8CC11C7C,SHA256=53AB56F528999CBAC63A853E1499038B5D8C221C99A291EF31EEA561C1CA8D49,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.480{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50065-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.378{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.263{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6451-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:23.035{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6331-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.956{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B1653DBD2E689A44BAF5B158F88BFC4,SHA256=02774C5D8D35F5BED7D863E820D32640BA344A8ADAA4B2A72158CD34DACAF774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425073Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:27.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A894986F5F8959E5A7A4E2E0B99516D,SHA256=A9FE1DF432115D8371CAC52F3F836C8169C5DD79D87B75556296179998FF6480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425072Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:27.200{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0C385B6E6A336B8D9D09A856328D8AD,SHA256=BABC882C39CF9F5083C20FE4DF04A28BC8FAFAB8F23E3E8068F09EAD59D024C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:25.061{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse210.245.92.42-64573-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.190{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C84A8713FCA6EAB4A3A81ABB01182AE,SHA256=7E505689AB38EE29B67E3E48EBA2F9E8989DFC1AB29C36CE19EE96CC9F5531F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.688{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001425087Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19D4-6154-9D00-00000000FE01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425086Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425085Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425084Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425083Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425082Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425081Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425080Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425079Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425078Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425077Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-19D4-6154-9D00-00000000FE01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425076Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.528{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19D4-6154-9D00-00000000FE01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425075Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.529{69CF5F33-19D4-6154-9D00-00000000FE01}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425074Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:28.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFAA0B66E9A4D3D0E2D40413D499EBD,SHA256=086B07B9EE85D85C6EE259769FF38D1C1B7AA60FA999D14CDEF139FA81665BAA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425104Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.575{69CF5F33-19D5-6154-9E00-00000000FE01}14444016C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425103Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.544{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2169E682DDE62EAE463C09623673592A,SHA256=11950E54DD1DE9A9044EAC817FCA18EAF9A5DCE023698A12613D62901392AFE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425102Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:27.247{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-27051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001425101Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19D5-6154-9E00-00000000FE01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425100Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425099Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425098Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425097Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425096Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425095Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425094Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425093Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425092Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-19D5-6154-9E00-00000000FE01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425091Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425090Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.357{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19D5-6154-9E00-00000000FE01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425089Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.359{69CF5F33-19D5-6154-9E00-00000000FE01}1444C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425088Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:29.294{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CA75051078FE0A9899FD0F6F7A013B3,SHA256=17A1284B695D3EBD922D7170CA277D58036F958AB7333564838FAC2B2C795C88,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.596{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-12397-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.240{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11723-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.935{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.870{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51109- 354300x80000000000000001519871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.857{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11606-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:26.788{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11438-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:29.176{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C46D5038E4CF8C27867E5D5B0A274596,SHA256=6E959F3CD045F251A2A43BB2832B1CC5E6D92A4AED11DD1E3A61CC1E63AE1BCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425118Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.716{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38B57EAE9091DF6C75A193966542EDDE,SHA256=DBA99EE8BB227E707FAC83CA70B5A6E270F0C64367746E4CB08E8C135520CDAB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:28.495{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50066-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001519883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:28.495{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13973-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:28.180{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13858-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:28.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.853{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.794{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13713-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13588-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:27.690{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-12760-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:30.192{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E306B2076CE56D68C794CF27E0C856,SHA256=B513201C9E93A05FB99258ABC73589B8FE09B71C95B048C9FD9A0051E3234A44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425117Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19D6-6154-9F00-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425116Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425115Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425114Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425113Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425112Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425111Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425110Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425109Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425108Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425107Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-19D6-6154-9F00-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425106Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19D6-6154-9F00-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425105Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.310{69CF5F33-19D6-6154-9F00-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425120Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:31.732{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=244A0104981ABAE36E57462E7499B791,SHA256=1DEB257E296B2854F24082777D924C038D1D8F7A34DF2FA8134207D9FCB3D2FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:31.959{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5B207286DF208803D5C9F34234AD35F,SHA256=F2BF21EB26DF7B1B0856F46F4E2A6DF86994ACDF546105FA5D5852DD4F28B867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:31.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEFF4B0CEEFDC06E06DC9EAD2C1938E,SHA256=419D480DEDA0BE756EB8B5BF760C178F971EE40CBA08895DDBDFE0AA5E03A841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425119Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:31.419{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FFAA487F528BAFA82B7DED32B283265C,SHA256=D88DD83AF11DDDDE815EE4FEF9054CC8241A1C99F0BA5F9B684DE3DF18ECE845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425123Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:32.732{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA67096908DA0578BB4419F39E5ACB5E,SHA256=D35E1136450C0025E6C6EBBB6147F0A64A5FD58696FA528103C790D30E672BD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:32.209{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C15573D28EBEFE8CA62C90035DC4FF,SHA256=02EA2310876545D78E55F0927F1D78CCB2DBF415DC030AD49075BAFE86854B1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425122Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.392{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-29974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425121Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:32.435{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3440063F40E405E43BCEEF3E39446586,SHA256=28A3E88DADB8B98F0777F38062AA96C29F65968BEA161EE9AE2910A06A9E4FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425125Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:33.747{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902E59768CB94FFC35EC44FE332AD8B4,SHA256=C373BD36770196D4A4D58520E2830A05E3E6DAC5506F82373638023E1F853577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.913{5EBD8912-19D9-6154-BD00-00000000FE01}25884972C:\Windows\system32\conhost.exe{5EBD8912-19D9-6154-BC00-00000000FE01}1084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19D9-6154-BD00-00000000FE01}2588C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19D9-6154-BC00-00000000FE01}1084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001519893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AC-6154-1600-00000000FE01}12721516C:\Windows\system32\svchost.exe{5EBD8912-19D9-6154-BC00-00000000FE01}1084C:\Windows\system32\usoclient.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e0a4|c:\windows\system32\UBPM.dll+11662|c:\windows\system32\EventAggregation.dll+3fae|c:\windows\system32\EventAggregation.dll+3ea1|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.882{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001519890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:31.355{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17223-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.225{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86697CB6DDA96558BDE4FAEA6614677A,SHA256=74349CECAABAA635A9B094AEEBBB5ACB30D1275FFC9009632D00A60299ABFA5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425124Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:30.966{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49791-false10.0.1.12-8000- 23542300x80000000000000001519888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.100{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B928239BB3753E88A44A6C24A1E50A58,SHA256=7A5FDB899FA0539EF198CDCAD9B6B82F27F329A77F60F00EB04CC04B41CD70B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425127Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:34.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=780D0E635C5756CFF07597B3214DE84F,SHA256=A0C497A6A6D4B2EB56E8969575C8BED07D5B7F2428E324F265B979A39F4722D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425126Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:34.779{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7247FAEF4B0263A538196ECB4F478BE4,SHA256=5E00BEFE525D1280B8D93BBF698D8497E60906E9F2B88CD0AB14FE62079F5AF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.991{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF5095e.TMPMD5=5892EA2F1D2C4AB9FD5ABD190120DC56,SHA256=5E41D428A2C488E45D2D1B974F00B1A5DC4B2DC4EB181E82F4C65B9394DFE6C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.945{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF5092f.TMPMD5=25C1AC2340C024E6754DD3FEB7C98EB8,SHA256=3E8B3F3AED0ECBF1CE73D4690550DA897B150354CA0AEA7DF9A6D4842A279366,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.898{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDBADC7E1A936534EA08E0C6CF32D009,SHA256=194249DD5690A9DFB7557D8D9FC18F4ABF776DE3C2E770BAA1DAD37A236973F3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001519925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:34.616{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001519924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:34.616{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000507e7) 13241300x80000000000000001519923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:34.616{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b4fd-0xbe3e49b1) 13241300x80000000000000001519922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:34.616{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b506-0x2002b1b1) 13241300x80000000000000001519921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:46:34.616{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b50e-0x81c719b1) 10341000x80000000000000001519920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.507{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\lsm.dll+b4ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001519917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001519911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.491{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF5076a.TMPMD5=DC9AB518908589FDF045AF2BC83FCD06,SHA256=C69ABA463239D87F6683DAC4058EBA4F8D12A28BCC374B1BBF6431D3CCFF19EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.444{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+6a63|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001519904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.397{5EBD8912-18AC-6154-1600-00000000FE01}12721516C:\Windows\system32\svchost.exe{5EBD8912-19D9-6154-BC00-00000000FE01}1084C:\Windows\system32\usoclient.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\usocore.dll+210d2|c:\windows\system32\usocore.dll+15924|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001519903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.241{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0D28C8C190A5D7D0C7EC08A42C4EB3B,SHA256=3424DD10F31601D1F8239CBAB649920174230154ECACED39C18A626C2926E89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.228{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOShared\Logs\System\UpdateSessionOrchestration.100.etlMD5=18DCA784E52BC713C39EAD385C1E88EE,SHA256=4B78842684F71698234B2BF435DEEA0D7A5597418DD713C3C899E61334872CC8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001519901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.179{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-19D9-6154-BC00-00000000FE01}1084C:\Windows\system32\usoclient.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425129Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:35.826{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=533315B402083B695EF51B94604F054D,SHA256=72C11A83C11F0636CE1050183A20AED716EB2A2187970A86EE8C066D7836A6A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.904{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56211- 354300x80000000000000001519935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.792{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.765{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-55825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.592{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50067-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001519932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=312E65AE9B6661C241CB44748BBD2DB5,SHA256=9B6C73A776AB8F3A1392239FBB1401A6489F65F79A9032CEDFD7B96568AA867C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.460{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=77039833A773FFA1E02945E3444B28E8,SHA256=37E283454E7E258A39683B47E7E87FB74B227ED1FFB37FC88F0C1515A94AD19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FA12AC3CB3F6B8FE79E7150EBA1C4B,SHA256=7F52AF152082A927DCDF4C0A87986E139B2DCD35031361688B9AA1A0D877FF2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425128Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:32.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-33519-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.038{5EBD8912-18AC-6154-1600-00000000FE01}1272NT AUTHORITY\SYSTEMC:\Windows\system32\svchost.exeC:\ProgramData\USOPrivate\UpdateStore\updatestore51b519d5-b6f5-4333-8df6-e74d7c9aead4.xml~RF5098d.TMPMD5=311E60242F0573D24C9E6B8BEE69C29F,SHA256=8571DCE8DA92A767B2F3D1E82CCADEFF354943CA26D0018ECDAEA169662E8A1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425131Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:36.873{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CEF577BBEFBF564CF02DBAAFB44DE91,SHA256=62647042FE1E12D4D40786EAE2AD8904F30EAC0212ECD9EF588631D3BD214DF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:33.932{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50068-false40.126.31.139-443https 23542300x80000000000000001519938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.445{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F697F34960A94049CCAD5DAA31F04FC,SHA256=847427F5E617A1B104C11E8DDC770822244D6A3F5E6C16D6E4E7403A0202BA33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425130Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:35.052{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-36512-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001519937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.039{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A640DB8D516DAAD0083BA789D6D02B08,SHA256=F9DAAE727CCAE78FB46A051F1A903F65FB74536041A6DFC8D99F47DB0D0511D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425133Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:37.935{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F9D26B2275D590DA6E9D5A12788D66,SHA256=DE130613CFE82A1A3D14D816E87F23790C335FCDE4DD8F6409A9378740923EEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.896{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24021-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.878{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.848{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23532-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.816{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23327-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.785{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.764{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23059-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22376-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.651{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.632{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.612{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22241-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.593{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.575{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.542{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22001-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.508{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.490{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21949-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.456{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21811-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.438{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21720-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.917{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57169- 354300x80000000000000001519941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:34.170{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50069-false20.73.194.208-443https 23542300x80000000000000001519940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF173BE6EEF8ACB157D4B4E8764394DB,SHA256=2AC0D9980DFB78DD78AD7A5843DF9853C4ECE3D93378895E89B6C8552FECAA07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425132Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:37.482{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=230D86073AA7EBB2F568976737FD864D,SHA256=22469A9D1B089301007B1790FD329DFE1C2D081BF6087801942392D923DBF966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425134Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:38.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=592990D21A9E1E55D18E206BC22317F0,SHA256=F30BC7AC86C21B1069A31E7F302707697C1865BBE0159A8B6B5CB3D9EFC04B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.759{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16A24428E50704CFED2122BBC74D11DB,SHA256=70D08FFCEE273CF3A28FEAEA3F52026AFDEEAD5F172639253E5CEF6F176112C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001519977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.914{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24671-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24572-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.186{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24543-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.142{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24518-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.124{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.106{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.087{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24394-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.056{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24352-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.037{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24315-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.018{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.000{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24242-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.983{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24193-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.947{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.917{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local61208- 354300x80000000000000001519961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:35.915{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24058-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.348{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.246{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26308-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.150{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26007-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.087{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.020{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25342-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:36.933{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51647- 23542300x80000000000000001519979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:39.838{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2955B96F7E2ED8B1C292A8BDFBA4AEF,SHA256=51EFDE58C47CA4185397CB27A9EEEF23BA28FF48D32A7B33E7310784509FA409,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425136Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:36.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49792-false10.0.1.12-8000- 23542300x80000000000000001425135Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:39.654{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A584A140B704CBCF0160BEAF286E413A,SHA256=BFE6C6E83BDD2F00468AEA0D3A10E4C0CA1230615FEAA8E592F9AC41D262EB7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.726{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-28064-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-28019-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.619{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.567{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27851-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.529{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.484{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.447{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.394{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27278-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.344{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27152-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.295{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-27036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.232{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.165{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:38.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.770{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26614-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001519988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:37.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001519987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:40.870{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12151E9EA0B00797F7D51132849F20D5,SHA256=9B1D1848900680826D86C637AFED87FE4BEC9057CA52B9693AF74A0CD1833371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001519986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:40.838{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE865A724DB3DFDC19554B94EE4A6041,SHA256=6C1C2B5ACC4813A035A15B0CB8B23D2794F4BF2C2F1B83F290EB6B4B1ED711AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425138Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:37.580{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-39779-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425137Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:39.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89C2BB09BF2867B4224480A234024A3E,SHA256=E1A0C55A1D559709CCD7C9B9A2917D5AC3D3ACE17F64E4C06114E69F2A1AB908,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425140Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:46:41.592{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x2467af36) 23542300x80000000000000001425139Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:41.029{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7544A1C54EDBE2FB1BA1441590015C74,SHA256=A7C034FA5C46740F8AFE4F5B13A2A1FA825F032AEE009F33A2ADF52C80E19668,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425143Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:40.050{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-43091-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425142Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:42.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8B49A3C8D67CA1CE1070D9374811A2C,SHA256=B500F652B4B04357735DFEE5EC3251EDC060270CFE14C17CE8CC8CDE1D515142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425141Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:42.076{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A335092B580201FD5CB62297B370546C,SHA256=57D64E5406B7403FBB2A1801245C72261039DEECCBACFB0F228455C248241A7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:39.496{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50070-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001520003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:41.992{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B26E81541354BD19DDB3A45A4670A40,SHA256=3ED4E06A2C9260E3CB43113A98C0A9791CF20EFCD9AAAF0263031DD281985169,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:43.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB04C854DF6E5E553D43F61261DB299,SHA256=3D5123E96A7029A8CB1CE8AB90FDBA1F8F3D9B41F1C99535AC0E25D9A10A86E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425158Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.795{69CF5F33-19E3-6154-A000-00000000FE01}3740300C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425157Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19E3-6154-A000-00000000FE01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425156Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425155Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425154Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425153Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425152Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425151Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425150Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425149Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425148Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425147Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-19E3-6154-A000-00000000FE01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425146Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.608{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19E3-6154-A000-00000000FE01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425145Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.609{69CF5F33-19E3-6154-A000-00000000FE01}3740C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425144Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:43.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CCDAF3DECB953EBD7DE953A5A889395,SHA256=69423F155A405E401771D895ECFCE42CEC66D16ED224F958F570706011504C31,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425190Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.889{69CF5F33-19E4-6154-A200-00000000FE01}3292752C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425189Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19E4-6154-A200-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425188Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425187Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425186Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425185Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425184Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425183Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425182Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425181Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425180Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425179Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-19E4-6154-A200-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425178Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.733{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19E4-6154-A200-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425177Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.734{69CF5F33-19E4-6154-A200-00000000FE01}3292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001425176Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:42.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49793-false10.0.1.12-8000- 354300x80000000000000001425175Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:42.592{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-46568-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425174Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.639{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=401F8E4E033B0839A3D47F5E19B909D1,SHA256=8F9BE5784E5D778DE5EF9127A300CD05955497FA34EC496B31DC83E99FA859F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425173Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.467{69CF5F33-19E4-6154-A100-00000000FE01}33161444C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425172Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19E4-6154-A100-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425171Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425170Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425169Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425168Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425167Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425166Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425165Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425164Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425163Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425162Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-19E4-6154-A100-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425161Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.233{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19E4-6154-A100-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425160Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.234{69CF5F33-19E4-6154-A100-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425159Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:44.108{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8239C4F4E7680D7882D0EEC11934A048,SHA256=8E4A80A1A3D5CFC98ECE4A196ED620134D1590BEE9C37D4A5E823D9A87628B89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:41.854{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31183-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:44.353{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:44.024{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4145561E3869FADD4DE0D0C37C953F5,SHA256=2E8C584612A05F17FC6FE78E7DD83058036B101CAC7B7CEB7C5F5547727C6D62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425205Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.780{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7BF86D5E72F85E4DBE591456499D777,SHA256=015CCAF79431EE0005C65375C4F5A51C67EC3C8A1BB01C6FF35DD2391AFFD6C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425204Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-19E5-6154-A300-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425203Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425202Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425201Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425200Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425199Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425198Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425197Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425196Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425195Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425194Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-19E5-6154-A300-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425193Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.405{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-19E5-6154-A300-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425192Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.406{69CF5F33-19E5-6154-A300-00000000FE01}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425191Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.217{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6721ABDA3D3A6172F7ACDBD6C6C9914,SHA256=A5E4CFC40623F449BFFFE89866C35277A7906117D4CF14953048E63C0516ECAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:45.040{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A25FB04661619D122AFACC06AD4033,SHA256=6F223D85DAB28CF60F999B3635D4D90E53E482931675A6EC85BD4F62E940DFB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425206Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:46.452{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0679F8399D6E09D822A4FDFBE95124DC,SHA256=0FC867C5CB776E0F04205B979BF2E3CF019E7918A864DEDDFCD8BCBAEF129B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:46.666{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9359D42D89D65EA5E82215738DC68728,SHA256=8A2194F6C14CEC00E2978BCFA346F7024911B3EE68DC9201ED66D7239AB90744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:46.666{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A94600FF5E29F4FD0D8F5442FF94A9A,SHA256=D1EEF8D0CCD60F9B5BEA6546648913F33389EF9EB9EC2F25AAE5C6C311D3019E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:46.041{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50410B15D7469798F91F6DE4ADD56BD6,SHA256=A9D573F8910C7CF37D480A8F4AFABD2DAB06F478E6E74BEC12D2CAEAF86C6182,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425209Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:45.399{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-50074-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425208Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:47.686{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45AD7A26797B45548DEE64C7408CC4E0,SHA256=E28B880319C8EA63CD7055797BDF0073164C68C98DDFE45AE2924D037F2798A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425207Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:47.468{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05E98EC7F466B2A45BD8B5982C413376,SHA256=40DF98E917A371BB2A4C81D9CF929BC734FE6CFF249B50B98561575E535A7011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:47.057{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8813E20013CAC3CC6377C4FC59D134A7,SHA256=269C6BCC77B875D955301DD41F811F714BA8BB9984056856CAFD3A1DC8308513,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:43.696{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50071-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001425210Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:48.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25573741DB8C2F4D4DEC4502D1474B18,SHA256=B728490A36BC68615F95013672424CE91FA6363ED829CC1DDB9F2F5F7FF7B534,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:45.383{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50072-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001520015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:48.058{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC52BE334C384161E11AE1CCD0C2B110,SHA256=80B9E190F0B895EDC8BC306C0FAE2B9FCD4B4EDCA7C7FD4B7374FAF4DED0993D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425212Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:47.814{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53604-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425211Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:49.530{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96610573C5130975C51D12F16FF80BEE,SHA256=A4307C16A2440D1F5E1BF6CA51290A52F7EA5437A51C8CD7C82EFC40026A154A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:46.057{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-37849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:49.071{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5863B57A4E66C17B2BB78A18E2AFD9,SHA256=A2F6CCBF37D370FB8D57E1D5FAB9A4123911E30D789D08B2C8CC65BC11D85B9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425215Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:48.841{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49794-false10.0.1.12-8000- 23542300x80000000000000001425214Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:50.546{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98248AD3C5E3F8EF1F0CD174212BD34A,SHA256=31E1DC095B4485ABAC8521FE455AACD3D17BE0180AC61A9BE8E6F58658F9920C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:50.431{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9359D42D89D65EA5E82215738DC68728,SHA256=8A2194F6C14CEC00E2978BCFA346F7024911B3EE68DC9201ED66D7239AB90744,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:48.061{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50076-false169.254.169.254-80http 354300x80000000000000001520022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:47.992{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50075-false169.254.169.254-80http 354300x80000000000000001520021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:47.934{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50074-false169.254.169.254-80http 354300x80000000000000001520020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:47.931{5EBD8912-18BB-6154-4300-00000000FE01}3640C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50073-false169.254.169.254-80http 23542300x80000000000000001520019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:50.087{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9060DA3B52C229959F2F18127B2F144,SHA256=80DC9050C46913E6FC2DA286789DDAFEF57186F7B2CF6F9B508401350617A809,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425213Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:49.999{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=233DBC981DC36EE8A6990F4142DCDD24,SHA256=048011696FDE4BADE1A67D3619CB98F4122EDAD42A85C9FAB5D7AD7918765FA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425216Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:51.593{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A9D223162C9E493F5DE9CBB6078243,SHA256=23D79105E7884DAF68FEA748AD40BC944710162AA3D996AA3AF5DC62223E859E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:51.088{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0FFF1035F7AAE166411D84AF8968F68,SHA256=5B224323DC15E82807A0EE6A0511C71F3D568896BB9918E8ADD12A1E4579A79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425217Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:52.609{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=368AA02D6A8FAEAF47C6364A317C82F8,SHA256=BFF86CF6D57802A1CDF79606D6EEFEC3A9ACC5F8416BDE423D73414D9D88B202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:52.104{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=567A30CE6FD83E06F69A927CFCBBA62A,SHA256=A0849BB3E6C85AA2626D265E5ABA609B5013406F65CB5E159AF59CEE3945ADE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425220Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:53.656{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1973EC80B4EFA79C71D5488107FD8BDF,SHA256=08A026612C6BB87FCD203DBA777802AB644EAEB1EF24195EF414A86B0FACDAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425219Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:53.656{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09CE8F8DC8DE40E9E729569F8615D70F,SHA256=63A065D6A51796D6BA8BF4014A235D8D326A8CC95B36E6EE41F8C2979B33F1DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:50.568{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50077-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:50.076{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-44396-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:53.120{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2142B9FCA592407318DC79F79B367C0C,SHA256=07734002E40DC15FE26C295F4D60BFDEBDB830B1C608FA6BF2F00FF9A076B3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425218Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:50.913{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57306-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425221Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:54.687{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E551A6DB16BC5E6A0AFA92208199A8,SHA256=431B4224585F111CE2AA128273C7DFBC552EFC6F4060FBB1CEDFBE18A91C920B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:54.373{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-004MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:54.136{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23058A97587B6E4C368A60718AC4FCF8,SHA256=D07CA602F316AF9D5CFD7EB2CE20CD713A4DA514528882C7E953AE39BD21C22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425222Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:55.719{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D58B1444AAB938AC906A849D52C4340F,SHA256=6C5D62610CDFBB80CDD947AD39E77A16BEAD148E6C3BA6AE030688CE22606F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:55.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89CA1D03333C8049CD2CA01CA223510C,SHA256=D3A8F3A5C55B361932160C9899873A123B123D16CC15ACF1FB5B18D4DFA23C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:55.606{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C1B8084003D4DB7C509424E9FDCA0A22,SHA256=33A0291074B83EA63D1E56C62AA3F8728641B09E81A49E7D3B3707C1F194D84B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:55.380{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-005MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:55.160{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2123C559E1D229D8EA9D84F296E206D5,SHA256=19AD002CCFCF8B04BF820913F4A2180C9462E12AFDBC05B121F9503226201A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425225Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:56.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EE270D92DFE3E1C584DCDF2D6C5F47F,SHA256=AC41281F4EEE6E1DD29A1E49D476406230440716D638CCBE43C448CD3D7ACB32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:56.297{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C90E596C8FD1B777657BF288CCDEB6F,SHA256=A0BE249FA2E115BC12AD69D1CF3A0CB3648955EA787B889C903BEA2EE0CC9276,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425224Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:54.079{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-2240-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425223Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:53.934{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49795-false10.0.1.12-8000- 23542300x80000000000000001425227Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:57.797{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E33D8554F18FDF78244DA37047B94AE,SHA256=DA3434670A675EFAD4EB85BD54966710041F2BF8076724AC6073F9C69F68D687,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:55.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-52359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:57.297{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88C8DC0EADD63CC58EFC89705416D8EC,SHA256=C3A9D4FFA5B72B03A553162463A1DCAAB57482063494E899A924F6BFFB1F84D5,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425226Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:46:57.594{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x2df16285) 23542300x80000000000000001425230Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:58.812{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1482C35C618DB8E65D1F426686E5F6,SHA256=694E91616974B63D23BF0C715103D2303E53F77A67D110784344DE562DC91CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425229Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:58.812{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6A7755598A9C3A3C529A2FB87C3490F,SHA256=30C3A7E108C85CE70158AF41907DCF33A1435440538E12998592C6E849C360D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425228Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:58.812{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49D629A65F1F5FA757DAF8D75168B0CF,SHA256=E4DDA74A9F0033817DF9C55C87E53910A89F0513B32731346DD6FE0445497B57,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:56.384{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50078-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001520048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F2-6154-BE00-00000000FE01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-19F2-6154-BE00-00000000FE01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.517{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F2-6154-BE00-00000000FE01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.518{5EBD8912-19F2-6154-BE00-00000000FE01}5780C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.392{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26CD3480D5D084F1FC627FC380D0F5B3,SHA256=78F86A0D0D2304326C2C0D2D57D6D0DB259674F82AFB2A57508DD8D507FC076E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.251{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89CA1D03333C8049CD2CA01CA223510C,SHA256=D3A8F3A5C55B361932160C9899873A123B123D16CC15ACF1FB5B18D4DFA23C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425231Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:59.828{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95A4A37DB70A75C02237619B5D9C9AE3,SHA256=912947430106A828D00946CFAB534F0DCE8EC923EAF4A7C99387CB2284DCC5AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.783{5EBD8912-19F3-6154-BF00-00000000FE01}32766104C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.580{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F76CB80401C6E36015DFC64C718A1C2,SHA256=ECD39667254512C3FB1C9FE2D2E1188581B7DFB787C69B567D1786FCC854F834,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:57.257{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:57.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32012-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.533{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=563C59A1325D8C81DDA5FC92D8E85722,SHA256=368489D38017962E47A8638E4FA829FC433B7024A604BFADA236EDB1E798AC33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F3-6154-BF00-00000000FE01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-19F3-6154-BF00-00000000FE01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.517{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F3-6154-BF00-00000000FE01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.518{5EBD8912-19F3-6154-BF00-00000000FE01}3276C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425232Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:00.859{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD888E406012F5605C770EF6B0120D17,SHA256=955BDA95A6A9292A21CC70919F852B09A73B8A2B383DDEFFE21E103B440EFD97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.773{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-55662-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.618{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50079-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001520087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.618{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50079-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001520086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:58.356{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36767-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C55C7BBEBFFA91D5715978C690E15B,SHA256=A856329264C4CEDA35BCEB63CE1565742786A7CA6E1527F9C30A7A67093A81C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.362{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=CC0B5B07B8D68D3CC66BA084A6D61E9A,SHA256=56D44CABB0740CB70D2990BEF546336220D54FD21F394134F17F90FA4B7AD260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.346{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=228CA890251E03E3B4DE941D8010E98D,SHA256=CAAD3BEC97E8675D1EA1B52E0676FD20530FC07468640DA93F19236A667E5543,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F4-6154-C000-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19F4-6154-C000-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.315{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F4-6154-C000-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.316{5EBD8912-19F4-6154-C000-00000000FE01}436C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.299{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=228CA890251E03E3B4DE941D8010E98D,SHA256=CAAD3BEC97E8675D1EA1B52E0676FD20530FC07468640DA93F19236A667E5543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.299{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=15F74536B8F1DC74288A98307A8EC8DC,SHA256=04377A3910CD5D8D5827BDE04A511F4D722AEC3844ACCDFCB26B288C5A993C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.236{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=9454C62CB10359F7AEE6FCE82E8E23B5,SHA256=A0FB111BD8682C8E2C16E46E784E2D4268AB9FCEB7469A9F6D2E6A7EF31DA877,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001520071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-CreatePipe2021-09-29 07:47:00.221{5EBD8912-18B9-6154-2F00-00000000FE01}2408\Winsock2\CatalogChangeListener-968-0C:\Windows\system32\DFSRs.exe 10341000x80000000000000001520070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.221{5EBD8912-18AC-6154-1200-00000000FE01}4521740C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\es.dll+14045|c:\windows\system32\es.dll+200bc|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+3b27c|C:\Windows\System32\combase.dll+3af32|C:\Windows\System32\combase.dll+39848|C:\Windows\System32\combase.dll+375ad|C:\Windows\System32\combase.dll+36c7f|C:\Windows\System32\combase.dll+524b9|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001520069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.205{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.205{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d7e|C:\Windows\system32\lsasrv.dll+1ec9a|C:\Windows\SYSTEM32\samsrv.dll+5e81|C:\Windows\SYSTEM32\samsrv.dll+5d82|C:\Windows\SYSTEM32\samsrv.dll+1594e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001520067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:47:00.158{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8EFF07E0-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8EFF07E0-0000-0000-0000-100000000000.XML 13241300x80000000000000001520066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:47:00.144{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Config SourceDWORD (0x00000001) 13241300x80000000000000001520065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:47:00.144{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\C073BBA9-345E-4F58-AADF-98D983B75502\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_C073BBA9-345E-4F58-AADF-98D983B75502.XML 23542300x80000000000000001520064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.127{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\DFS ReplicationMD5=1E146E4207327D0C84D1F62AF88D1BC7,SHA256=FAE67A583E26F704F29B54F29CF22DE57562F0E218163A43182A5DBAB830DF40,IMPHASH=00000000000000000000000000000000falsetrue 734700x80000000000000001520063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.096{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 23542300x80000000000000001425236Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:01.874{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FFA7A3BCC43C0C5DE8891C56A9A6ED0,SHA256=6DB33AAB37DA45BD3172D39FA50693920227CC0529B4E9B3249100131CC85C1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:01.612{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83273D206D3465D6141BACCF8DD65A2,SHA256=194EF0B082CAFE94F2FD1C7D716B5E3A4C566E6495D8CB6586404C0447B5A937,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.759{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50089-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.759{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50089-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.743{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50088-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.743{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50088-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.596{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50087-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.596{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50087-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.587{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50086-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.587{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50086-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001425235Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:59.981{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49796-false10.0.1.12-8000- 354300x80000000000000001425234Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:46:58.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-8093-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425233Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:01.359{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B1482C35C618DB8E65D1F426686E5F6,SHA256=694E91616974B63D23BF0C715103D2303E53F77A67D110784344DE562DC91CEA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.511{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50084-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.511{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50084-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.467{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-41265-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.462{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.462{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50083-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 22542200x80000000000000001520097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.460{5EBD8912-18B9-6154-2F00-00000000FE01}2408win-dc-429.attackrange.local0fe80::65e5:9cae:dd2b:361b;::ffff:10.0.1.14;C:\Windows\System32\dfsrs.exe 23542300x80000000000000001520096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:01.112{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E12B2F7453642C61CE33E87E70FD4895,SHA256=2279ECBA6A2C998D6BC5FD6BA4833D40A9878794BD83F6E5F733F825708B90CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.447{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50082-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001520094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.447{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50082-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001520093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.445{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50081-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001520092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.445{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50081-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001520091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.431{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50080-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:46:59.431{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50080-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 23542300x80000000000000001425237Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:02.890{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=317FF2C8E78C62728DAFF9562C32F889,SHA256=3EFB47E48A9D54A6FCB90A593712C04AEEDA51197BEA045A098C70E8E9BBF367,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:00.563{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45780-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6149CEB008039BDEAB5743A2E42E2545,SHA256=49281D7711ACC0C9FC8C87FD75DF7241C06AF827C4E94CB485D95D9CB72F359E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.631{5EBD8912-19F6-6154-C100-00000000FE01}47084464C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F6-6154-C100-00000000FE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19F6-6154-C100-00000000FE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.349{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F6-6154-C100-00000000FE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.350{5EBD8912-19F6-6154-C100-00000000FE01}4708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.271{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=394306695581AD20AB52028FBD5AEB37,SHA256=1DF457A3448620A4C17E17A860C84E28AC510D71C546B81EFA0333138228C992,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425240Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:03.983{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9FEE73D78F447F93DC3169B7F2774282,SHA256=2BF5F7F9860E602D0CF8F781A8E7B136217663856EB3C854A64BBECCFF65EFF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425239Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:03.905{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF57262BF60567291DEBB6A131F755D5,SHA256=C1746EE6B8077CC730A113524CEE65C3DDDA45CFAB6ED1983F07BFFBF398125E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F7-6154-C300-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19F7-6154-C300-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.803{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F7-6154-C300-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.805{5EBD8912-19F7-6154-C300-00000000FE01}5612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001520136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:01.641{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49882-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:01.212{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-58699-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.647{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218F2C5CD7008541043715018F90FF38,SHA256=1963A959A52A99419C7AFA80CF7FD9AE60ABB18E359F535DB9EFBFCD0BB17363,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425238Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:01.649{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-11401-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001520133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.350{5EBD8912-19F7-6154-C200-00000000FE01}45644752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.350{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F11343BD429616B1E942EC7AFEA1B363,SHA256=7F6A424D3F8118F153D3BCA2FD5BF25D6BF1AAAD314B4CC24D87DF2B3983B724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F7-6154-C200-00000000FE01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-19F7-6154-C200-00000000FE01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.146{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F7-6154-C200-00000000FE01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.147{5EBD8912-19F7-6154-C200-00000000FE01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425241Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:04.905{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C4B6777002CF71E7429403E7BF1F63,SHA256=E3F6A3D266A7E13745915A01B4BE433756A2182575E28F1BF4DE4C906F73D07A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.719{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54045-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:02.371{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50090-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001520147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:04.663{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64D734AE2596AA1AF53590A88D92D4B3,SHA256=E11BDC5C9D104A78FA2CC17A466FB1E321F19A1732367B1B70FADDF370FBBF0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:04.444{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9A4625108D151AEC598B4DD26225A4D3,SHA256=E2AEDC2FA8199380F3D66136E2F612A00A67802C888258AAF95F881DE767F273,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:04.053{5EBD8912-19F7-6154-C300-00000000FE01}56125040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425242Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:05.905{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07550C52440E20243D7CCA245EA770,SHA256=322AB69D880E2C1C696025A57A6A175E1975EE0D7194561A93494FE0A960D067,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.812{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58559-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:03.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-3420-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.695{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA7E4C697BABAD8E5293960F06C3702,SHA256=D47DE28711574EF00CCFA0E25237FE9C44542A7007C3E8A32F5AFC6E379C9544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.523{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D3207D618B1A0F16AE725CBCCD5E74F,SHA256=4F8B695C0FF4B89C45F060DB20DAE0BD9592EF9DBC0C980E00D18ED813B7C8B6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-19F9-6154-C400-00000000FE01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-19F9-6154-C400-00000000FE01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.147{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-19F9-6154-C400-00000000FE01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:05.148{5EBD8912-19F9-6154-C400-00000000FE01}5948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425246Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:06.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF725143973E47A1A5CE4B6B531E08A,SHA256=07EB801B76537B4B1DCD6E1FD55CF84A46BD8423F4C4C73B0539FB484F9C7FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:06.789{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1309918AFA6BD3C01769ABEDD53689,SHA256=2F571FD7F3063C9F1A7CE1F3CD6F4254998085DBF01984BD9B033802EDE21776,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425245Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:05.044{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49797-false10.0.1.12-8000- 354300x80000000000000001425244Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:04.100{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-14821-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425243Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:06.108{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0997339383B317B4FA727A5F19644F96,SHA256=6AD6158E7B791739C11DAAA81D60B80F4535C1A5ED9C0B1F88CA50A57064AA49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:06.523{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E120C73F05D428963EBB4CC7496BA90E,SHA256=6B95A253146DE1EFA6021A845FA753792894E180603D8F23C0097BFB3A00E437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:07.852{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFAD6A7A86349B2D1D600753A06751B,SHA256=5BCA8CCD2C141F345B53E5BAF73324BCCA01849E6C17CA2863E6D4D3A6EBF6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425247Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:07.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80FACBCF75011E7D973BD7CA3C7A59FD,SHA256=C145DA6184AD71EADC09EDC099BCFFCE57B115758C56AC4F0227F6282D08C5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:07.774{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4B3AF210117FDCEBC760497C9E96347,SHA256=5BAB146B61A752A9B4A9896A6E358FAB808C5C4CBDFE885A7B0242F4B8285531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425249Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:08.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66F0A240B768CB2E870268470B3C2A1B,SHA256=1978313288E4CADB7D296B74B2E33BC2128B865ED2FCAB72648399444E617C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:08.852{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A0DAFFF6CC8BD90266D20EA29E42EF1,SHA256=7CDEBDE6BFEE86A11414FA0BAD16D96B79E619DC319057BB6BA0D3EBA3DBC018,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:04.906{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4099-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425248Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:06.185{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-17829-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425250Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:09.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=858793407E999C6DC79BB49D3A9CE031,SHA256=E03D1D0508B1D30B9D81D6A1EFE060C0260D773E8C5C6AB81E886F3B03DE93D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:09.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3F44907462B48C9955686B306304F7E,SHA256=C69C3593FBB77F3ECF840590C76F062CDA1D04FF70F2528A34538417E411C7E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:09.228{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85910FD0D69234AB0085CBB37E71E9C5,SHA256=0F050CC1B781139E4E00CAEA0D987AEB6E75BB3FE7B853E9F7BE5796AD549DA7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001520170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:47:09.165{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x34d703d3) 354300x80000000000000001520169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:06.078{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-6737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:06.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425252Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:10.951{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0C74164370C3013718F85615170ADB,SHA256=564642D2A2BCFF331F300A77998D745866FBE77A546EC134F376F326E4F83531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:10.853{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9751479443DD083B1F2B0279329C609,SHA256=A2F9CA8FE51F157497A08F42BF04A55A2E1C8D263AD3E8EA8BF6ECF492310E81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425251Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:10.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=787750B1EEA8E66FCFC6C9DD662DF7F3,SHA256=3836152F7F2335AF0DC6267C26CD0F79680C3E6B110D485B761CC35F07BF8A8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:10.400{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AF7330B19EDAD583043C7FDDEB6FBC2,SHA256=BC0A70FA058EBCE36B954AFDE2109040D69304EE1AD5306E2447EE54CDA4B3F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:07.547{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-13595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:07.464{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50091-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001425253Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:11.966{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38845D4A162A0245EBF8E281368B7BBA,SHA256=69CD0DA92EB0A3904004132CAD4F2435A50EE57CD864FA51C69440176E2E012C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:11.854{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB0DB4C237CF3D1B8A79252D7A8FE614,SHA256=CADA9790F761488FFA378326374C3E7A3C24EB40BB3E587AC7E78AB6F5DFA89B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:11.479{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0FE449A0140EB3DCA0085471A5AC3CF2,SHA256=E6991BC29A6FB0A5057644C79976598927672989CE4B2A60E99665579F31AA83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425256Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:12.982{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3CC381B93563C99E605F686840F2A85,SHA256=52D65E6C7C2BF9C8E484F0FA41C22692E8E8BF64C54223660BD52780AA2372AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:12.854{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96534BC49D51268BA4C8F93E89F02E1B,SHA256=E898C7520198322997602FD9CF952745F45A8AAA417072B02B5EB8A603C2B2CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425255Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:10.887{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49798-false10.0.1.12-8000- 354300x80000000000000001425254Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:10.466{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23221-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:12.557{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4110A5FFF344B772513098F238ECCDE5,SHA256=57CBDD41F1BEA1ADD2437914FEBE9A303AC635811A15C451B5955CA449DD0E60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:09.765{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23138-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:09.548{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-10315-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:08.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-18223-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.902{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45CBAB855382F9EFBFD263AC2435A0CA,SHA256=B37D75555B0A6C1D333F9CA292320253D97F4DB20D6A75DFD08EE3E6825158CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425257Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:13.029{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B4F2125839DACFB423EEC28968DC0F85,SHA256=11C206FA7E31CD782F352F8A9A489E4760E29ECB2C2478F738847C5373CA3203,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.667{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=33808F9D79A0F77086318742411458F8,SHA256=CAC9719B811DDD588BEC30681C7DEFE6C38E59A24599F85F302FBB5CC56AF4B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:10.845{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.902{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26EE5CA5187AD1FB1BE0166FB941E08E,SHA256=30D84970B7C65921AE1463D5590C1A60C6434A64E35F25AB705E9DEB2DEF44BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.808{5EBD8912-18A9-6154-0B00-00000000FE01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnsMD5=1ED9955C15C95D865A46A537998C900F,SHA256=A28BE6F8BD9359291F4A7F554196F44D63B6A5B945818C2F739AF0C137FB0AF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.808{5EBD8912-18A9-6154-0B00-00000000FE01}640NT AUTHORITY\SYSTEMC:\Windows\system32\lsass.exeC:\Windows\System32\config\netlogon.dnbMD5=AE0485662867E1DDD730B2179055F4FC,SHA256=3A97D1CADCA6919E5EE5A6A54F1863CB6773DF209A959539DD3B174EFB6683A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:11.934{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-31653-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425262Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:12.859{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-26773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425261Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:14.497{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F6AF6D86052CE5B11A143F0D978EF54,SHA256=6C83BE2FA9E48095A9DA950271ABD3A63FB26B17F4898B65A3820F22C9D2D995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425260Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:14.388{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425259Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:14.326{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=E4748FA6ECC526BA471C44A1757E69E9,SHA256=43DD7C8089BB8309BB69CD2527CCE682E43F41ECD076DF58D1443E083EBE6A7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425258Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:13.998{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABA5D6546FDB45F1A16942A897A92BE9,SHA256=4E253E4537F590509442A059E1ABCB02E4AB0328848E1EFBBBFBDB2E9C079E63,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.136{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53616- 354300x80000000000000001520227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.135{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53859- 354300x80000000000000001520226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.134{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51886- 354300x80000000000000001520225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.134{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55918- 354300x80000000000000001520224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.133{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56163- 354300x80000000000000001520223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.130{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56348- 354300x80000000000000001520222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.129{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55024- 354300x80000000000000001520221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.128{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52489- 354300x80000000000000001520220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.127{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53245- 354300x80000000000000001520219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.126{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57536- 354300x80000000000000001520218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.125{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53572- 354300x80000000000000001520217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.124{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59682- 354300x80000000000000001520216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.120{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local51189- 354300x80000000000000001520215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.118{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local57096- 354300x80000000000000001520214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.117{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51280- 354300x80000000000000001520213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.117{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55508- 354300x80000000000000001520212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.116{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local54527- 354300x80000000000000001520211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.115{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50121- 354300x80000000000000001520210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.114{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56027- 354300x80000000000000001520209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.111{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local51507- 354300x80000000000000001520208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.110{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55721- 354300x80000000000000001520207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.110{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local56502- 354300x80000000000000001520206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.106{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54816- 354300x80000000000000001520205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.105{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58395- 354300x80000000000000001520204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.104{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local60882- 354300x80000000000000001520203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.103{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local60275- 354300x80000000000000001520202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.102{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local55389- 354300x80000000000000001520201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.100{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58837- 354300x80000000000000001520200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.091{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50094-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001520199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.091{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50094-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local49666- 354300x80000000000000001520198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.090{5EBD8912-18AB-6154-0D00-00000000FE01}908C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50093-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001520197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.090{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50093-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local135epmap 354300x80000000000000001520196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46182-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.663{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.386{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50092-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:13.046{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:12.370{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:15.012{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5520874572C7BBED740A6C8B210CE72E,SHA256=26FD3EAE2CF28FED2E49F50DEDEE73F868AC6FCEA3DA508967C89A3956511735,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425264Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:14.169{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49799-false10.0.1.12-8089- 23542300x80000000000000001425263Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:15.013{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60E55DF0BE8997718A802884B0856C5,SHA256=83B3A8364B43C734A8F25D2187A568BDA85A652F86A02958193A501DEBF7DB26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:16.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56446028CD85B2BCE45503395B565888,SHA256=0DA0E167E1684364A272B3262DE95ED0A72D9E42BE80654A210389714F09795B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:16.278{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9DFC7E71F8710D8E8A1BA198A11B887,SHA256=F385276FBBB9B3E7F9D4DD50022DEEB03424507C9893B68330CCC4EA32EA40D3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.142{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local53624- 354300x80000000000000001520231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.141{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local54930- 354300x80000000000000001520230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.138{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local56852- 354300x80000000000000001520229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.138{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53447- 23542300x80000000000000001425265Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:16.029{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79A2CDD324207082ACD1F2083EC6E927,SHA256=73A8D9A16C24BEBA5C24B3E3ECB5A4861B6A6170BC57030981801FCD4BC01A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:17.231{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C07E9757562FDB3FE62BF3AE999BC499,SHA256=55F1785200A60A6C3D33DB519FDE87EE5F77DDD84E806CEB524A2B15E3FAB447,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425269Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:14.588{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-30020-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425268Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:17.325{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D958D233A9C363032F35435339949526,SHA256=4BBEA4D4A4B27282C95207926D305B973AACD8F9D06811EAB2D4D95DEF9DA3E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425267Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:17.325{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=F44CAC67DC3D6F9A0DB84045E43C968D,SHA256=EF30E4726ADC91F60B2C21F10CEBBFF030B5EB1B1190FF84C427C7F4AF3CB04C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425266Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:17.060{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26697A53481670068F594F69E48033F,SHA256=D08AAE60F6199EC4FA5F2520365D636876C6334E166775D80482A24B1E99358E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:17.216{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DD42FE647910AB34CB213551D4B6B6E,SHA256=2B5E8F94DEE1133C014ED30A20A6C1E3476B9D77697D879D55B9A71A135FC763,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.808{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-50650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.389{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-41277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.156{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local55779- 354300x80000000000000001520240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.151{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local58202- 354300x80000000000000001520239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.150{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52659- 354300x80000000000000001520238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.148{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.14win-dc-429.attackrange.local57433- 354300x80000000000000001520237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.146{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local59143- 354300x80000000000000001520236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.145{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50894- 354300x80000000000000001520235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:14.143{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local52765- 354300x80000000000000001520250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:15.904{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-54889-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:15.500{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45352-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:15.309{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-18134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:18.326{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D370922F1C1D9EEECB46CDC1199FDFB8,SHA256=3007921688C3DAF397CD37A9EEF0AA221E8D2B32D4A4B14661B6EE51E216F31D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:18.232{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0F95ABB65D16906258FEEE1EC557AE,SHA256=43E1A97EAAE38626817B9C4F63F603AB6F65E16210674A353E8EC0B9DC315418,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425272Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:15.903{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49800-false10.0.1.12-8000- 23542300x80000000000000001425271Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:18.107{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BF77A0FAF797EF2A0886049D1021A32,SHA256=0DD30912644B11C38ADB709FC3DFE93E37CA5425C85B3BFED2891AFDFFAF5F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425270Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:17.997{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9DD3FBCB01F27EF40F740CE488BCAD5,SHA256=2E701BB66FED2806785C6300A6E31A79297A53F97A1BEB93C7A6F958121113A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:16.981{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-59196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:16.592{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49953-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:19.420{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD44975A325BE1D15E03AD1596581578,SHA256=DBB920CF435B9978F94F6C5D481C0AE4906C72C500552A944D1AA8460321BFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:19.232{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB13C185B05E4B27B2E440C2466E56EA,SHA256=5EC2248446F04E38C928BBEC71A54B13D79D5D5E50F20C4EA22EAD270BC651AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425273Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:19.122{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2DF61D62C69C22D6757041F2D8EAF5,SHA256=9D4ACFAD49F31142664B0E1D8BEAAA23D9C249A1E880F7FEAF0206D78ED723F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:20.483{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65E9EDAAF580DF7B4F21A86842D2F9C2,SHA256=73FD39E4C815AB5A9D55E26313BFD951313C219437B5C082114D9796F5EE01B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:18.574{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50095-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:18.044{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4440-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:17.704{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-54533-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:20.280{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793DE8064597F95F638DA867085BB1B0,SHA256=F6178E7D094C667031088A82C8141D0DE1912A0E6DFF1DD2CADD79A46592A00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425274Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:20.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C360CBB39CEBFC8783C373124E200658,SHA256=8F79FA9DD3A471B69A3F6D772A1C77212E40FFC50B50991C4C0007A113AE2F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:21.577{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B5A1B0BB76FEBD827178EC11E42B0EC,SHA256=34E6127FDEB06DFEA289760000DE8C322948C9AC8DAE856D46C5116682585D42,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:19.106{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-8700-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:18.785{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-58877-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:21.280{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39C17238CE08969D742C25CAF342EA9,SHA256=ADC713084AEC4E144E1F74FA97C324F5717ABCF8746975F4D44E07A03C7B6196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425277Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:21.919{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D882E9802D267D1A65975749A6A11A2C,SHA256=BAAC07AFD7EFCA842DB1164B981DCE85C104F81E7FC0B4C299C94906AEB2EFB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425276Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:21.153{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5427034610F2B2FCC8AEF5B97E3B45AB,SHA256=0CBFBC9B2522EC45C48CE05230363CB515A259AF5544F74121391E37AEF69108,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425275Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:19.036{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-34567-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:22.660{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=764565F5CDB0933CE3219B4D3762880B,SHA256=B8F9FEA0908DE38FA57FB969C4693B9A445A99254A8B471C4D0BC1236B62A6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:19.862{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-4280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:22.285{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB65D2A1D02B11CA28F3BB1F2D857322,SHA256=430121E2A64E302763F671E860255E6CFB4013FA4E26071662FEDD696B73D887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425278Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:22.185{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A4FCA1794B5A077195A0B04597AAB7,SHA256=D675CBBF7742DF025509833DD09D724408E61BF41CA7E9D833DF628FBABE1154,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425280Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:23.950{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34FE7C4E121006F4A476D7B046142852,SHA256=B19BEFA71BEDD933815B2BC759E38F23012854941264CD481369803A410E8B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425279Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:23.263{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2720ED996DE0C0DC4DE27718173AF413,SHA256=960489A87790A26B3877CD33AF178E2FA29942215375E4D03B79CB37F858E050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:23.738{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78D64001C95135E22C825D02530110BE,SHA256=DB808DA1158049B07EC8CFB3CFB6B7870F4F5633B29F2A6249E0DE9B6315F49C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:21.251{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-17178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:20.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-8470-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:20.184{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-12931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:23.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079DC5A84893798D79DD65ACE1E9C025,SHA256=265DA30F74707FC990934A3FE4FB7A4EF787268820B7B2E516DD94A398BD7EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.817{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A42618DEDCBC0DBF4CBD1E2A17A6417C,SHA256=66ED23953680A3288020B3BA567BF9C00EE3A1C59DB231E2CF763ECED218E362,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:22.343{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-21473-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:22.020{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-12522-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D69504AE9998BBDB0A025612635F378,SHA256=9BD0F4B51E53101D36511A4055A8D8BB70062714868353CE4F753C729537AD5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425283Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:24.372{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F6130F5A383B17595E3998975E186C,SHA256=F4702C1D8415A8C3D96342907B41407B73022B17B161BF882A2C293EAE85A21F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425282Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:22.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-38470-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425281Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:20.997{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49801-false10.0.1.12-8000- 354300x80000000000000001520279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:23.437{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-25564-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:23.098{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-17042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:22.579{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26781-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:25.348{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC884E79BCDBCE62C4B0F2CBD9FAA10,SHA256=7F3F766A71EF2E5D4154FB8E4DF1736EB52C70E221E52D09611ACACD94349837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425287Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:25.408{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-005MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425286Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:25.374{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FF4A717AE83B8796D78801B6425A08F,SHA256=C1D30C50FB9B438E69F66326CC731AAC06FA9D9F58B5C8387A2E74D9BD5B68B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425285Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:25.109{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E48240789F655B425CCE373B21220BE2,SHA256=C1067C30E6559AFDDDC8B4D2482A734C27CB44C0891F7036CCBC03086C967742,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425284Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:23.681{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9159-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:26.349{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3045263C72F62530F93F8C6DD3C4242D,SHA256=D709FEEF8AA3BDD8607D105C83FFB319F4ABB2CAAD34F6BE37B7D5AEC314A889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425291Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:26.425{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D83C51FE1A080B0A53D88C2B0BA77D,SHA256=2BDA59867F73F5ACC527E57B12AFDC72B7AE70EBE27B2D435A1AEC8E45A5309D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425290Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:26.422{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:26.146{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4CBA34216B7DA7013B1DC8274912D6C0,SHA256=654D5405192BDD36220053653DABDF1DE0C065A2EA2DEB67DA3C865FD6FA1E67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425289Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:23.705{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-9361-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425288Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:26.281{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2783644888E465823951C89D085DF777,SHA256=644F4BB0E82324B234F3BB42280B940ED22F4975723C3900B3E5DB17DE1C77D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:27.959{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:27.349{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7E6775BDA4EBF6B7F7D96A5DB01E24,SHA256=17166097E4DD824CAE387ECB79C4A7A0CCD824AEAE45E3207CA3035593DEB6E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425295Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:27.623{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0A4F7F5378A117A9D48BD893B605764,SHA256=4B9CF8EB1DABDFC941AD553DC0322927ED1C848F6F27BE7A27FE0A30B94723D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425294Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:27.436{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4F011F915D13625AEEF36C75580382C,SHA256=CA239D01D5F19767F809E349B6F870B38F2092B8879568F56B5D6E5DF4045E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:27.224{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91CA06571E2A6BD87C66920D1970CF6F,SHA256=91478611B6A46947D3A1CBA27E3B2602E3182E800A18C538730F673BA35C6ECE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425293Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:24.942{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15925-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425292Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:24.493{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-42031-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425322Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8587BDAE265DCCAD34FF8424CDAB6374,SHA256=568E42F4571B00AC5E8E9DAB8AA302ADEB1AF7E521099987638800E1E28876C7,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425321Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001425320Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0005cd79) 13241300x80000000000000001425319Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b4fd-0xde5f32b0) 13241300x80000000000000001425318Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b506-0x40239ab0) 13241300x80000000000000001425317Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b50e-0xa1e802b0) 13241300x80000000000000001425316Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x80000000000000001425315Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0005cd79) 13241300x80000000000000001425314Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d7b4fd-0xde6787ff) 13241300x80000000000000001425313Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d7b506-0x402befff) 13241300x80000000000000001425312Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:28.764{69CF5F33-1898-6154-0B00-00000000FE01}636C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d7b50e-0xa1f057ff) 10341000x80000000000000001425311Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A10-6154-A400-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425310Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425309Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425308Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425307Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425306Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425305Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425304Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425303Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425302Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425301Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A10-6154-A400-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425300Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.529{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A10-6154-A400-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425299Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.530{69CF5F33-1A10-6154-A400-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425298Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.483{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3A68A3000F3A80C0B05B81D4589E64,SHA256=C334A31AAD97CEBFD7DF2B06A502DF925623899DC52A39D0D2DA18318396950F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:26.890{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-38929-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:26.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-30526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:28.350{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A0392C7EAAB70D3FD84431C4613FBC,SHA256=CA389E63EB309F5F3C7FAC1C673EC64F430C7186356FE6CD437313415B7E9DB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:28.303{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EFEE91D0C41CDEB1B5D6B3B4B906799,SHA256=D4C97638DD30906B73014105E20708918FD91B6C4636A11FCA648F5A099ED6A5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:25.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-34261-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:25.504{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-26218-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.677{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.531{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50096-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.516{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-29737-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.356{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-21832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:24.273{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54264961- 354300x80000000000000001425297Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:26.316{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-22558-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425296Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:26.030{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49802-false10.0.1.12-8000- 23542300x80000000000000001425338Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.576{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC5F421364A86DB96EBD95C6A97C4A8,SHA256=57280B4D492FB1600EAE0482844A3B5B62F0D9F6C20236574B16E422F1525029,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425337Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.561{69CF5F33-1A11-6154-A500-00000000FE01}31442980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001425336Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:27.464{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-28793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:28.156{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-44013-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:28.086{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:27.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-34883-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:29.382{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5685EED29DDF69F8D1F1C1FA8933C6A0,SHA256=D95D45116A1D623FE327901C8CB85F3F11E105BD4365B3D9EF29AE4D3B704A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:29.366{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E92FBEBFE832B30CC11969BD69B22A1,SHA256=E6C7A5233FA5EE946E4A9AD8F1C003738D11636077D12B3FEEBDA4CFA31720B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425335Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A11-6154-A500-00000000FE01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425334Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425333Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425332Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425331Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425330Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425329Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425328Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425327Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425326Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425325Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A11-6154-A500-00000000FE01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425324Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.373{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A11-6154-A500-00000000FE01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425323Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:29.374{69CF5F33-1A11-6154-A500-00000000FE01}3144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001520332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:28.739{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-39231-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF40CC48B89040551CACFF8576AC0B1A,SHA256=63FCFB5224A262BF4E2426D566ADD9852378575F9C5E60E5DB313BB882BBC521,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBB8179966F5677E9ADC19B8DE03F8F0,SHA256=96611CB24E0F06E2C10008A3CFA1306E12B38991DAA5EBBD80997CA689D82F20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425354Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7812CCE15CE15E1D045BAE02A8F32A,SHA256=4AB111A22994C37FC252588E03DAD06B2DF0FE280F8DA4CBB63950B9BF554030,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425353Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:28.904{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001425352Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A12-6154-A600-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425351Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425350Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425349Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1A12-6154-A600-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425348Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425347Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425346Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425345Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425344Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425343Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425342Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425341Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.326{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A12-6154-A600-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425340Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.327{69CF5F33-1A12-6154-A600-00000000FE01}3916C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425339Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.248{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=69D797D6A992F705C53CFF834E6E6E92,SHA256=2AA8EB056DB4D3D478D3C95BF148BB79B4FE70C7B7F731271A49F53431DF6342,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.304{5EBD8912-194F-6154-A100-00000000FE01}44725372C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.304{5EBD8912-194F-6154-A100-00000000FE01}44725372C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.304{5EBD8912-194F-6154-A100-00000000FE01}44725372C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.288{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=571A0F468312FA79613F7472BE184295,SHA256=8FAF99BAE6840567234294108FF4176CB1971D5D0BFD53D9CB7587379E88F227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.273{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=312E65AE9B6661C241CB44748BBD2DB5,SHA256=9B6C73A776AB8F3A1392239FBB1401A6489F65F79A9032CEDFD7B96568AA867C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.257{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.257{5EBD8912-194E-6154-9A00-00000000FE01}48203932C:\Windows\system32\taskhostw.exe{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d812|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.257{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.241{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.241{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.210{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62f15|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.210{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+62e2e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.210{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62df7|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.210{5EBD8912-194F-6154-A100-00000000FE01}44725280C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+1544df|C:\Windows\System32\windows.storage.dll+15325f|C:\Windows\System32\windows.storage.dll+15620f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.194{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6162f|C:\Windows\System32\SHELL32.dll+62890|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.194{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47bc0|C:\Windows\System32\SHELL32.dll+6284c|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.194{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61884|C:\Windows\System32\SHELL32.dll+62820|C:\Windows\System32\TwinUI.dll+f54e1|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.194{5EBD8912-194F-6154-A100-00000000FE01}44725312C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+f5319|C:\Windows\System32\TwinUI.dll+f5d4f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.163{5EBD8912-18AC-6154-1600-00000000FE01}12721980C:\Windows\system32\svchost.exe{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.163{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.163{5EBD8912-1A12-6154-C600-00000000FE01}48364192C:\Windows\system32\conhost.exe{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.132{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-1A12-6154-C600-00000000FE01}4836C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-194C-6154-9000-00000000FE01}28442320C:\Windows\system32\csrss.exe{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.116{5EBD8912-194F-6154-A100-00000000FE01}44724560C:\Windows\Explorer.EXE{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+a909f|C:\Windows\System32\windows.storage.dll+a8d15|C:\Windows\System32\windows.storage.dll+a8806|C:\Windows\System32\windows.storage.dll+a9c78|C:\Windows\System32\windows.storage.dll+a862e|C:\Windows\System32\windows.storage.dll+ab445|C:\Windows\System32\windows.storage.dll+ab7c4|C:\Windows\System32\windows.storage.dll+aae00|C:\Windows\System32\windows.storage.dll+ad62a|C:\Windows\System32\windows.storage.dll+ad3e2|C:\Windows\System32\SHELL32.dll+3f8bd|C:\Windows\System32\SHELL32.dll+3e456|C:\Windows\System32\SHELL32.dll+801d1|C:\Windows\System32\SHELL32.dll+6716e|C:\Windows\System32\SHELL32.dll+3d433|C:\Windows\System32\SHELL32.dll+3d2fb|C:\Windows\System32\SHELL32.dll+3cc17|C:\Windows\System32\SHELL32.dll+3c8dc|C:\Windows\System32\SHELL32.dll+e2157|C:\Windows\System32\SHELL32.dll+e20b5 154100x80000000000000001520301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.119{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x80000000000000001425357Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:31.701{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B94E1D24DD6AE70E48286B81CEF76CC,SHA256=3BE40217AF7727B3515396EFEB43A992C5ED772E57D14783E2DDBD1785E55F80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:31.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDA1F0EACDB31DE0C5BDBD13981BE3B,SHA256=6EC7DD90764572759E7A4C615D4D4DD9547CD5052F59D4CDBB88F4E0A0E754B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:31.539{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB22A3F0C0555928B6221FD49CF342A2,SHA256=308BBE72701DB715BD4B9BD65FC8264668C47EBFF13B9B525C48958A5572E2B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:31.117{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=571A0F468312FA79613F7472BE184295,SHA256=8FAF99BAE6840567234294108FF4176CB1971D5D0BFD53D9CB7587379E88F227,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425356Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:30.065{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-42194-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425355Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:31.311{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1BF7BB056D1D2B669AEEC34ECE7D3213,SHA256=32D9CEB19BD4099733831AD2EB30F1B0CDA93119BB6492B9E15BE79B689ADA90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425359Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:32.717{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B006695EF1E7B1F31B0A6C444E0B1969,SHA256=B7FE24AFC42F2C3E6F2A205068D0085097668E34A01C3350F5496866872D1D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:32.711{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0464D67A5B37F3C87F92778EAA8AEB0,SHA256=ABB11B643FCDDEC9AD1ACCC2CB21B62A25D2B9395F943045A343C23498511280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425358Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:32.326{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0420B8C1C27D732515E0A5C1C2A845D,SHA256=4924F3CCA9CDB3EE0E882A2F46DFA4F455978693FEAEEF1F4C1D7974A7F8EA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:32.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92DE6DB733359A7B326AD1767F22B5EB,SHA256=0C59D9487BC24D500286DA876413A9CE180004C7F3B5868399D173F5ECB33FEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425362Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:33.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5D52326910D1FDD73E15B2AC3737C5E,SHA256=E585AA35C6D320A6498B57B8380F7554C6B1438DFD5FC621EA549D01C07FC55B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.852{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.852{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.852{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.852{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CE00-00000000FE01}1500C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.805{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F833A7EAD657495943B27F1FEF11D078,SHA256=31E3819BF4D3F92ED9702E6587AECE5ED32FDE60583337DD4EC64B153C0125D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CE00-00000000FE01}1500C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-1A15-6154-C900-00000000FE01}60805872C:\Windows\system32\devicecensus.exe{5EBD8912-1A15-6154-CE00-00000000FE01}1500C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\devicecensus.exe+15de|C:\Windows\system32\devicecensus.exe+24a9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.790{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.758{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CD00-00000000FE01}4208C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.727{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CD00-00000000FE01}4208C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.727{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CD00-00000000FE01}4208C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.727{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CD00-00000000FE01}4208C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.725{5EBD8912-1A15-6154-CD00-00000000FE01}4208C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001520377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.665{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.665{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.665{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.665{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425361Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:33.686{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B7C467A58D5A34CCC6F32320F65B237,SHA256=AF84B4B4327B9BF57E49CD25F34F26345266E97D0B65DB4869BC9347A7309FEF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425360Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:31.173{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-47545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001520373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.649{5EBD8912-1A15-6154-CC00-00000000FE01}41125788C:\Windows\system32\conhost.exe{5EBD8912-1A15-6154-CB00-00000000FE01}6008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.633{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}4112C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.633{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.618{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{00000000-0000-0000-0000-000000000000}6008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.618{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CB00-00000000FE01}6008C:\Windows\system32\sc.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CA00-00000000FE01}428C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AC-6154-1600-00000000FE01}12721792C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CA00-00000000FE01}428C:\Windows\System32\wsqmcons.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AC-6154-1600-00000000FE01}12721924C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C900-00000000FE01}6080C:\Windows\system32\devicecensus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-C700-00000000FE01}1220C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AC-6154-1600-00000000FE01}12721664C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-C700-00000000FE01}1220C:\Windows\system32\wermgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a7a1|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852964C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.587{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001520342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.375{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-52985-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:29.817{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-43467-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:29.535{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50097-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:29.313{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-48623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.133{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A726CB3A99F05B21BD72DE883C26DF40,SHA256=305C5C99C7089DE3D540EF026ACA923ADEEE8864ABA73601FAF44F868608CA09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.853{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.853{5EBD8912-18AC-6154-1400-00000000FE01}9481172C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=487CCCD205BABAE79C260C0BD62BFB4A,SHA256=496C121A478043665963A27D6FBEEBBDF930D6EF954782A95BB6D045F9FA251B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86ECDB4CA991F72CBADEAF6A5C0C3F26,SHA256=D678D5C84254C53770EDF2D87CE7D38B3D1D6E591AC1242711242167F898A3F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425367Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:34.795{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2558598C413AF3EF8302F24D68847199,SHA256=2AA8885A9C8E5CE5FAFE67F2E1F295A23E947EE711479F3761B044E68B0CC383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425366Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:34.764{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9CFD298A8F3A161B9D85F1214C59DE1,SHA256=52D07FAF1C0A4B98E72F08812B8992B40616624486F8819A70D13639E9D9B260,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425365Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:32.403{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-51490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425364Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:32.364{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53476-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425363Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:31.888{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49803-false10.0.1.12-8000- 23542300x80000000000000001520424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.274{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9539D8FBA07B0E2037BCD1499DC924,SHA256=60C608E6B9E30EB68240A51FD859D9E639FC8C65F6F2D7F0A8FA5ECCD12A6734,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-47741-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:30.829{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-37678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001520421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.196{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.196{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.181{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.102{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.102{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.087{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.056{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24be7|C:\Windows\system32\lsasrv.dll+25d2d|C:\Windows\system32\lsasrv.dll+24a65|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.056{5EBD8912-18A9-6154-0B00-00000000FE01}6402808C:\Windows\system32\lsass.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249ad|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.009{5EBD8912-18AC-6154-1600-00000000FE01}12721052C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x101541C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+20fee|C:\Windows\system32\wbem\wmiprvsd.dll+43f7|C:\Windows\system32\wbem\wmiprvsd.dll+15538|C:\Windows\system32\wbem\wmiprvsd.dll+1498a|C:\Windows\system32\wbem\wmiprvsd.dll+146e6|C:\Windows\system32\wbem\wmiprvsd.dll+140fe|C:\Windows\system32\wbem\wbemcore.dll+b920|C:\Windows\system32\wbem\wbemcore.dll+255ff|C:\Windows\system32\wbem\wbemcore.dll+24a9a|C:\Windows\system32\wbem\wbemcore.dll+2485e|C:\Windows\system32\wbem\wbemcore.dll+dc51|C:\Windows\system32\wbem\wbemcore.dll+2cfdf|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.993{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.993{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38BEE7D168AF4D60CB6EC86BF17288B1,SHA256=4A50565557B04B22A80A84CA458A6A272C811906A372EF1ABB08CB3B4B07D23C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.962{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.962{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A15-6154-CF00-00000000FE01}6088C:\Windows\system32\wbem\wmiprvse.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+366e9|c:\windows\system32\rpcss.dll+3bed2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.962{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.962{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.962{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a16d|C:\Windows\system32\lsasrv.dll+2704b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.946{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.946{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.963{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C7157C64DA8B3551007033C8B6BB86F4,SHA256=415075B84E0AD98114D03AE00C1FCDAA1D924A611AC25EE784E599F8C479A9A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD9143DD16A4D85C029E9D21ECDE715,SHA256=9ACC5E1B4E063C00D70B13B4C709672EC47F98D7E47A51606E877BB4822563A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425370Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:35.920{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B2B774FA1BF9806D3DC18BD3414437B4,SHA256=90981B77FA10414ADBDD472B6C45E0B55A66FA2041BFE64164437353F48DFF7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425369Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:35.811{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417E0A39AFECB89EDCF8A81BB29787D6,SHA256=45F012F3DE06812E6D051CB269A2875FCAF9E12709E2E3D353B6D7050271B50F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-56113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:32.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:31.973{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:31.441{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-57210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.134{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B9B5FB0D72ED2168D019C5A4228E97C4,SHA256=A6E2FD1C5F96FF0063266BEC7B46DAAC4E054286761AF5CA2CE4AD0950F756E3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425368Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:33.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59186-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.775{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3653BAF889DAC5539576035D192C5333,SHA256=AE40A0D5D2B55B3CF1FD8A89FB6173C7D9D9A9E54D3FAFD37D72CC97B49DFDB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425373Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:36.811{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72F0AB6098CC08749D8B7C9E4BDDA801,SHA256=3EE8236E7D033A8AA90E70B2DC0D052FA2ADA1951C45B32C35495C1C055658FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.238{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-1904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.698{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50098-false40.125.122.176-443https 354300x80000000000000001520436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:33.645{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-7246-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425372Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:34.597{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5832-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425371Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:34.264{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-54550-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425375Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:37.858{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62C9A9C79FA8545A7D2E2FB4AF02817F,SHA256=7E9E40833A6C54A805DC1C9DB3AC66F269D6D101681551AE4523882F6DB1891D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:37.776{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03AABE576E551A2EBC6A843775957C88,SHA256=A902A05AED638B5CDE18D2FDC0C1C2B2270FEC47A1BCD0AD1922DE3C9417BC86,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.720{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-11500-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:34.354{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50099-false40.125.122.176-443https 10341000x80000000000000001520441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:37.213{5EBD8912-18A9-6154-0B00-00000000FE01}640844C:\Windows\system32\lsass.exe{5EBD8912-1892-6154-0100-00000000FE01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+2b3d4|C:\Windows\system32\lsasrv.dll+30929|C:\Windows\system32\lsasrv.dll+2e287|C:\Windows\system32\lsasrv.dll+2d211|C:\Windows\system32\lsasrv.dll+15ded|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001520440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:37.057{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B51DA83EE2388013E80533DC6DD8F34,SHA256=03449738AC786C8E5FC3ECA25A230152458DDE3E090766C97C3B6D4ADDE05A99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425374Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:37.092{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5127D50D4239BA5FD51F6D522E8DDAB,SHA256=3B92EB688AE5BA77E188D02C384AC84E8A3BD5B93B84B5B6172D3E7DC052C9C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425379Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:38.889{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B5B72A48C8F4A60042640B1FC0231B3,SHA256=DA6D2715C57A753627A641BEFECE6DE28B0CF7494220B27626A53D1376FFD5B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:38.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5450170A5742638CE3DC5D691324E34F,SHA256=3ACDDD65394A7EA511A6D56CF8318FEB80ABF21CEE5BAE51D6826A6351FB9470,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425378Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:36.909{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425377Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:35.818{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11894-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425376Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:38.155{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12F247C5B2915B73909316D11896C175,SHA256=780DBA32F893AA00C409DD67846555FA4059A687600797F29D45CA01FDB7654C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.552{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50103-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001520455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.552{5EBD8912-1892-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50103-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local445microsoft-ds 354300x80000000000000001520454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.452{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-429.attackrange.local50102-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001520453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.452{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50102-false10.0.1.14win-dc-429.attackrange.local389ldap 354300x80000000000000001520452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.441{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50101-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.441{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local50101-truefe80:0:0:0:65e5:9cae:dd2b:361bwin-dc-429.attackrange.local389ldap 354300x80000000000000001520450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.427{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-10354-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.782{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-15634-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.578{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53871- 354300x80000000000000001520447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.359{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50100-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:35.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-6201-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:38.182{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C11417303FB1EA652AE582DC121B68F,SHA256=7F54BBA6783C0746A53AACF0220660E91CD836527725F23B4578C795A2925155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425382Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:39.936{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B06EDBB84EF47BD0B720929DAA328238,SHA256=599543ED22EF968192295CA979A3185E41B5A8E090E9F95A239DF9AD501FD61F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425381Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:37.873{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49804-false10.0.1.12-8000- 23542300x80000000000000001520461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:39.792{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49A873158AAE03027BBF8D6ABD073709,SHA256=1E1BD842581C477351A033F03A94AE79B7BBC022E6B66BE0B97AD2AD4A74A35E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425380Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:39.312{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03183CE74CA328A9371499BC0325CF72,SHA256=55B9D452D91F7F1A9A13C63996E0FDDCF1856C20E5B067CCE5CFCDA2246E3E9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:37.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-14773-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:36.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-20020-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:39.245{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DF41276EC72ADD730E62CAB457C4B47,SHA256=CC2D6A31ADFF6FB5364FB468744D12601A1C371DF37804E0550D73827B413EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425387Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:40.968{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2ACFDC298395D012E1E372B6C5B90CA0,SHA256=C3460572A959C7BF3AA6D8642AEC63B3F597CD3094BDCD5376035260433D097A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425386Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:39.167{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-29226-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425385Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:38.548{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425384Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:37.988{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-23265-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:40.793{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5726C4FD14ADFC2595CA39ED6F8B558,SHA256=003FF4FF7CC5B64A6054CB94D1511E3E9AC835AD4DD707A92D4959262AC7ED9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425383Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:40.452{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AAAA90633681B80059A531270D9F797,SHA256=49DF440E63D2DDB6E955A390FAA44BBA2434021DFB7E5B472607CC59AF87B4F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:40.371{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=210503E19B582A9C0B771851B5B09B23,SHA256=A56F60D29F44B5138D47F796FA8000122126D8CB71873BA0C759DE885A5F4309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425389Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:41.983{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A73BD42C1EBBC0A19303405A25C11948,SHA256=DDB2191D8FEB4223FD1560AB6B2F5EF7EF1F6B619833BCF7F0810C2ADD9F8030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.804{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=508B0EFB145F91BA422E0405F29A30A9,SHA256=BA78AD95621297C5BC92962AA210DD408C044A791E413249FE57A4CBE9C61406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425388Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:41.593{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C43AB45E374E3942D0DC2B1A977F8077,SHA256=23EB197A11444894F6EEC1B1D764F89B9201CB3518DAF99F752FF915217D47CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:39.125{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-28827-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:38.630{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-19103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:38.029{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-24479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:37.890{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-46254-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.465{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F932012643B5CD153E333DCD27410C9,SHA256=10ACAFA48E925D663C416CF1F2F9370919220E3A34CD2C08A582D91EA9BCF4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.418{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=591F49E45191CF7E1F92BA1849068EA8,SHA256=808A4EAFCCB33006CFDAC372A77777F5B846C9F9C683EADD48F3E7FEF7236326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.418{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A3AB7ACF4F00E31BEB0B989E474C0C10,SHA256=FC6B46C900EEA5DC50E1E68FBDC34A13F10B5E559AED0D4B453957919DF511DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520520Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520519Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520518Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520517Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520516Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520515Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520514Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520513Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520512Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEE6E12BC13585507EAC684BE419037,SHA256=9746096C8B29B75AA7C7542EC01B5259B9B848925529CCD87E0B13B7F97CAE02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520511Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.820{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425391Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:42.686{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B03316838D9481436D98BA7D563D170C,SHA256=168BA4E3DD386F2952CCD2FE91D34C21E7754927A870DEFA35A98DF28FA8518F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425390Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:40.269{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.664{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D091F0BB80B4CC0AC084B1906222E68,SHA256=048A54F73BADEDBD0EF7E3C04706CBEFD9677118F1D7AB60C11288E21CF9671F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:40.426{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50104-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:40.204{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-33132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:39.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-23648-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425409Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.952{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=875668E1B7703D2E1589FC2773D54366,SHA256=58FAB414381D315E517DF5289A176F2BF9D65108AAF946E8501963FD1439EB4A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425408Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.796{69CF5F33-1A1F-6154-A700-00000000FE01}15723736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425407Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A1F-6154-A700-00000000FE01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425406Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425405Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425404Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425403Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425402Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425401Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425400Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425399Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425398Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425397Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1A1F-6154-A700-00000000FE01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425396Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.609{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A1F-6154-A700-00000000FE01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425395Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.610{69CF5F33-1A1F-6154-A700-00000000FE01}1572C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001425394Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:41.409{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-40508-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425393Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:41.156{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-3929-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425392Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.015{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8032F33C0933CAE5E39EBD40C1690301,SHA256=2981AA02A5E069BB8C5F87524673B59CB0C4FF1E4C0589284B44EDDD47007B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520523Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.743{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54C3CD1499A5D55E32D01463C9421F06,SHA256=1033346F1F57FAAF7F1D1B1592B110119DD874C08CD7FC7AE4CAB7C878C681A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520522Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-37403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520521Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:40.892{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-27888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001425438Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A20-6154-A900-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425437Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425436Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425435Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425434Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425433Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425432Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425431Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425430Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425429Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425428Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A20-6154-A900-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425427Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A20-6154-A900-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425426Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.890{69CF5F33-1A20-6154-A900-00000000FE01}1920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001425425Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.421{69CF5F33-1A20-6154-A800-00000000FE01}32042944C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001425424Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:42.552{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-46464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001425423Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A20-6154-A800-00000000FE01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425422Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425421Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425420Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425419Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425418Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425417Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425416Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425415Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425414Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425413Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A20-6154-A800-00000000FE01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425412Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.218{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A20-6154-A800-00000000FE01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425411Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.220{69CF5F33-1A20-6154-A800-00000000FE01}3204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425410Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:44.077{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25A43D41FBEA57249E508872D1A208AB,SHA256=46C5FC047E0B2C10A3183047D1B3566363CF0B4019323CE16979055788AD4382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520529Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.837{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8DAFC09555367DBDEB31269724E11A00,SHA256=60D07C010E48B416BCE431B468422C192F558C5492D75B4C32031B1CDA5C968E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520528Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.536{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-42277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520527Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:42.015{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-32482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520526Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:41.433{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-51069-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520525Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.384{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520524Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.118{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF3D433B0EBEC9754DA1851BDE7100F,SHA256=EB795C8A2948E3457D07AD6548BC43A97AD28E3D000C6F65FCFFDB7F2861D89F,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425456Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:47:45.578{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x4a8b22ed) 10341000x80000000000000001425455Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A21-6154-AA00-00000000FE01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425454Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425453Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425452Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425451Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425450Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425449Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425448Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425447Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425446Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425445Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A21-6154-AA00-00000000FE01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425444Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A21-6154-AA00-00000000FE01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425443Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.562{69CF5F33-1A21-6154-AA00-00000000FE01}3500C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425442Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.358{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BA5E6A74FE4CC8A4067E4FCAF1B2460,SHA256=57215CDA0EC790B99146474B283E44602B2E2798D49556539E36130518F9548F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425441Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.358{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AE5F48888DE2AE8502D4E78A9094856,SHA256=97650850AA71675C86D4EAFBDC8883741BABF3ACF4BDAD13DAE1FB969BA80095,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425440Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.029{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49805-false10.0.1.12-8000- 23542300x80000000000000001520532Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:45.916{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA423B8CE2EEDA5956CF09EF4DC48667,SHA256=6A6D2691A5FED9454C71B8946AAF8DAEA88ED05D58D16C46485C028928D668C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520531Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.095{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-36820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520530Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:45.118{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDC00B7D5BCAEADA58621D93043E650,SHA256=32C88D0F9F0B456F6919A3C0FEE26AED622B8C9682389FF9283A660543B63CBB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425439Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.077{69CF5F33-1A20-6154-A900-00000000FE01}19202012C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425460Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:46.405{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AED16355A2C4F98E6322CC1D22D206A,SHA256=5F636D2448BD106E508724DE5BE139A018CE3E18CC885C981F47F35690C8EDD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425459Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.019{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59209-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425458Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:43.866{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53356-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520538Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-41065-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520537Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.877{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24292-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520536Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.853{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-24134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520535Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.715{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50105-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001520534Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:43.637{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-46731-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520533Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.119{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=366FEC1344E84F377FE639C52A5D675C,SHA256=DE26B48112138EE3F40F57C919374ABE5F959CE5751F8EC956DB9CF85B1522DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425457Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:46.359{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9CDFE9AEB2771900A944FE60B0B4EEFB,SHA256=CF3A7198FC6A4D15441E88714128E8049CD92C202D9456B63B9F5F23EE965C55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425463Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:47.515{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9B89B87221303193C7F7E4F8B59B9712,SHA256=8CC403856C24A30A3314E41116BE28CE879786B85C8E094B2CEE13AB2A213B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425462Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:47.437{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EA2299371879F72855CFD872D8C0B5,SHA256=36414C7AB241D655A473FD9866A364DD0DEB033138724BD16F18D012F75CD1F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425461Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:45.770{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-10132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520543Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:45.266{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-45497-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520542Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.970{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-32296-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520541Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:44.701{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-51072-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520540Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.135{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F4B2F0633A331F7F82D2D3036460086,SHA256=63EA57FB91E0F7D35A142C705DB7FC10C560D5391616E432ABA01D56849E539E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520539Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.994{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47255E8E1CC8F69F523AF48F9D24EB37,SHA256=422FDA0CB505CF9C67337514C3F11D40870C9193AC5FF0EE5C9AD41F76DC0D19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425466Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:48.828{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=72D3BBD4AD38A5F0919E99EA7CE198C8,SHA256=AB90EC6FADAF96D787756FE846E6A77176F721B7D1BEE588328BA387FAC0840C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425465Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:46.190{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6567-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425464Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:48.468{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4B83BA573FCDBE2437FE0726B155A7,SHA256=93594CF151AE4633BD4326B05ED57AFB2F1E889447E008ED42240D67E42B3B03,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520570Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.055{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52427-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520569Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.017{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52293-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520568Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.981{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52193-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520567Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520566Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.924{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51711-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520565Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.902{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520564Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.854{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51300-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520563Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.772{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51223-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520562Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.720{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51155-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520561Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.697{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-51050-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520560Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50904-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520559Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.624{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520558Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.602{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520557Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.580{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50572-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520556Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.542{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520555Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.520{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50382-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520554Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50243-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520553Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.460{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-50078-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520552Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.423{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49971-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520551Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.402{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50106-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520550Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.401{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49898-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520549Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.379{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49740-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520548Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.345{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-49649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520547Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:46.064{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-40208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520546Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:45.965{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-55863-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520545Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:45.824{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local58544- 23542300x80000000000000001520544Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.135{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81497761E50CB04438B789A8E971CBC,SHA256=009F23AB9473AB0ECC8F0000B303406BF3FF20CDB6F6B1C54EA6C742D4301473,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520630Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.815{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4294-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520629Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.797{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520628Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.793{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520627Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.779{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520626Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.768{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52233-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520625Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.761{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-4034-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520624Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.746{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52070-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520623Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.743{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3955-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520622Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.725{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520621Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.721{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520620Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520619Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.689{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3710-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520618Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520617Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.671{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3636-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520616Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.652{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520615Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.647{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520614Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.620{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3343ms-cluster-netfalse10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520613Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.608{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-51083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520612Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.587{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520611Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50819-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520610Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.568{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520609Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.550{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3091-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520608Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.533{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50659-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520607Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.532{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-3037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520606Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.514{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520605Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.509{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520604Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.496{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2934-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520603Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.486{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50276-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520602Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.477{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2832-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520601Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.450{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-50077-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520600Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.447{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520599Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.429{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2721-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520598Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.421{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520597Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.411{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2635-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520596Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.390{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49612-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520595Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.378{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520594Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520593Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.345{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520592Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.327{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520591Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.325{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-49017-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520590Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.293{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2220-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520589Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48776-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520588Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.260{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520587Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.252{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520586Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.244{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53067-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520585Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.228{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-2038-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520584Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.225{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48317-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520583Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.223{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-53005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520582Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.201{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52937-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520581Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.197{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-1919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520580Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.189{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-48174-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520579Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.178{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520578Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.164{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-1654-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520577Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.157{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52790-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520576Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.121{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52722-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520575Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.34-1494-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520574Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.099{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520573Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.077{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.67-52566-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520572Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.448{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCDB327D3962309B35A11967A3882E89,SHA256=2D94EBF1D68A18D7006B9F83094749E8C2BB4047D6C3A624CE4C5F019086C070,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425469Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:49.906{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=816EFF641A4E217FE155D136D160956C,SHA256=8FD221928915B418EB623E5253747170DF9BB63C031642A6D1349156E3A7BB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425468Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:49.515{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15435BEC7AEA8E5414F579BEBE8CBCBA,SHA256=4EBB20AF72F8A7F068B7D23C0CA7FF2267751C5F9157A3A2748CF06A25FBB4EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425467Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:47.357{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12464-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520571Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.104{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC45CC50E6D94EE99AE197A35E27C3D3,SHA256=97F230BCA6A3AAA2948713FCC669B17AB3BB68EA5E529C15E4DB8E9BB823F49E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520656Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.707{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1042-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520655Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.674{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59982-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520654Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520653Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.610{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59910-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520652Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.554{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59866-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520651Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.445{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59747-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520650Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.396{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520649Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.351{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520648Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520647Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59364-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520646Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.230{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59345-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520645Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.209{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59339-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520644Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.187{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520643Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.163{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59226-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520642Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.127{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54318-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520641Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.091{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520640Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.068{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-54014-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520639Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.030{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53916-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520638Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53778-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520637Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.985{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53558-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520636Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.960{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53416-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520635Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.938{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520634Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.905{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-53123-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520633Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.854{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52805-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520632Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:47.817{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-52621-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520631Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.589{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55BADBB0C2154B5A29E49F140E26FD3E,SHA256=79C4CF9FF74F125A2AC148264027B6FAA85D91A37F4CAFD153772E709F8C2B02,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425473Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:48.904{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49806-false10.0.1.12-8000- 354300x80000000000000001425472Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:48.646{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-19102-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425471Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:48.247{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13051-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425470Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:50.531{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1B587186C4D8CFAB07EEB1EC149F43,SHA256=D94E4432CEBB3896140FFE2371206436115AA1EFE0CCB25D265CEC867A343A80,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520700Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.815{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7353-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520699Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.792{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7135-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520698Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520697Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.718{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6693-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520696Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.695{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6528-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520695Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.673{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6358-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520694Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.651{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6184-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520693Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.627{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-6028-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520692Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.605{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5788-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520691Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.568{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5637-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520690Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.546{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520689Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.530{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520688Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.524{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520687Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2280-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520686Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.487{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520685Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2256-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520684Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.464{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-5048-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520683Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.432{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2255-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520682Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.428{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4912-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520681Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.415{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2221-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520680Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.406{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4735-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520679Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.384{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2198-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520678Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.370{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4596-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520677Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.366{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2148-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520676Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.349{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2096-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520675Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.348{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520674Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.326{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4330-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520673Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.304{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-4159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520672Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.280{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3979-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520671Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.253{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-3624-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520670Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1867-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520669Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.205{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520668Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.187{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1842-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520667Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.167{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520666Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.149{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1678-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520665Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.131{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1570-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520664Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.098{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1530-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520663Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.080{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1443-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520662Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.047{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1403-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520661Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.010{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1365-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520660Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.907{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1286-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520659Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.810{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1160-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520658Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:48.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520657Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:51.621{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15184A818DAD84FF55E17DBAE0100216,SHA256=09BE9C1E07F9EEFA2363E8C11E08A9A268DC12553EC707F762B5DEECE9731B00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425476Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:49.738{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24406-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425475Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:51.562{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE80A62D6867CE44645DFD422C70D57,SHA256=E7C1A9400865582C96D1D80FAF6042CEB81DB1148B040166DA027607AD9579D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425474Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:51.000{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C343E3FFF593EC9DA76E8A1DBA00AC,SHA256=5FE8F9D9A71CF92887AFBCEA7ED0CFDF0E3C830F5B3A2317554CC3DEA3EE1E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520715Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:52.872{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA4C5E97000086CA9D371D1D07893E3,SHA256=02C9815358B0D1B3A0EBEF969725EC3167A140833B503B15C1C5083D88F3BF69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520714Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.161{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9640-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520713Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.138{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9497-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520712Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.116{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9337-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520711Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.094{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9164-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520710Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.071{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8980-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520709Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.049{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8735-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520708Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.013{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8616-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520707Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2716-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520706Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.990{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8367-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520705Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.953{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8237-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520704Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.930{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-8033-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520703Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.893{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7908-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520702Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.872{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7779-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520701Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:49.850{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-7527-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425479Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:50.910{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-30542-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425478Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:52.578{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FCA79AE349D527714CAB734921D110C,SHA256=70262E53496AAD966E09750B25CE8C2C0AAC4A0847AA75732521600062982C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425477Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:52.250{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=827CD02FD09EC18F5B8148F091719F7D,SHA256=0ED8D7BA36C06A1D62BA27CD278F66A0F600436051277A13E3E7560F9816ECA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520725Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:53.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63A9171EBFCBEA415F0396E97922E91C,SHA256=B8EAD92CC49A103F848CB1DA4D0698B78BB0A91A333CB405E840A4D2E5387208,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520724Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:51.418{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50107-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520723Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.513{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-3259-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520722Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.362{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520721Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.360{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520720Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.297{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10343-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520719Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.268{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-10056-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520718Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.212{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520717Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.187{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-2899-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520716Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:50.186{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.61-9829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425482Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:51.245{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-17097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425481Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.594{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FFDF25DCC7E878D0828D056BD830F85,SHA256=DC82B0A0C9A6971782E01FA05DBBE65B68B657819F92F5E42F387C1F2CD2F86C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425480Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.375{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8901A0D21A9E51E9E322A9EF92E58196,SHA256=EF3A61E9F4E0C38F205786567702E895CAE16FA8842C44D81268CEC7C90F377A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520726Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:54.716{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A76A39B63BD66C208F15ECA5BB820D8,SHA256=52A7096C693C6669D45C423EA5A60FD69F422B1382B15B105056014B66A68359,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425485Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:52.128{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425484Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:54.625{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4AC264356CCBE6E6E723976A7A7FACE,SHA256=14602C1BFA490A4958D288CDE86DFFAEE4DC625ADB012CC2931085B52B5E948D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425483Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:54.516{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B734E5FB82A64A6061EA5793BF36F05,SHA256=AB00FE207DC1497E970D029C52FFBDC2FBE77A800140523EC66375A8D003EA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520730Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:55.929{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-005MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520729Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:55.721{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C840689FA79122288ABD5FD0387D2723,SHA256=288F3CA4F26212A4A799B3A7F2B2D3D4383F53ABE059AE6C3DDAA165179F0A50,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425490Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.782{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35571-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425489Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.742{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-35458-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425488Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.229{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-42423-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425487Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:55.688{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C73F2703DEAAE15A3C247F3F4523376,SHA256=9D15BF2E500FCB463E43BC299A9A721AC994156B4C6DA7DC8B57728A831A07C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520728Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:55.310{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8776DAB5F7FE3F61605BB622919ED438,SHA256=EBDB78D3D5B245DBD3277595CF3CBFA050ACD3BE9DF1F821519F1A9B580E97BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520727Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:55.310{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C26DFF1AB1BAB30BF58C54A9DBF82DB,SHA256=37E07ECB174A7B613A81973169A4EA1BCFA54F1D8599F376266132FD0A4D15BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425486Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:55.594{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4019A2937913AD1DEEB6871F3ED469CE,SHA256=859072D20B39AED4BA331AF04FD335EB9C41413D2F19ED0948A3210DF5A5B4E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520732Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:56.944{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-006MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520731Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:56.765{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DC6C2E089A69ADD2F95E4834C3E4E21,SHA256=1B74CC9574317CC04BC13AFAB57446E67B574641C3C0A4D4C19EE03C21E7602D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425496Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:54.894{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-42160-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425495Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:54.331{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-47950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425494Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:54.090{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425493Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:53.997{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49807-false10.0.1.12-8000- 23542300x80000000000000001425492Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:56.766{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DA6F55A7FD41D481CAC70049622B959,SHA256=FF627443A0326FAE53E75B0420766D8BB3C412AABDBEF5BC30C608489CE3C05F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425491Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:56.703{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A8362CA12B25D9783B329D120D6145B,SHA256=FDBB270DE6FA7D50565F5EA74EB8ED91C18C818C02D1925C284A801AB59A32C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520735Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:57.836{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D3F28163AF708B625BDC4D57CD9877,SHA256=D2FEF1D6BAEEADF99F43B1257D64CEAFB95BBE799047366D765D62A0A2110A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425499Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:57.891{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=265C143F0730EC2E699970F4289633FC,SHA256=50E6E8DD5CB400084FF3AB06DE5111CA656B9743FB7A458EDF71AB7A17043BFC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425498Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:55.448{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53626-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425497Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:57.750{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDA87B828D9BCA40BCF9DD998A309F2D,SHA256=F8A2123B6331FEB9B49B81DA549B3C6750EE7C28038D6F1A059E1AED1D82A82D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520734Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:55.248{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-10627-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520733Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:54.991{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-429.attackrange.local53domainfalse10.0.1.15WIN-HOST-54251210- 23542300x80000000000000001520745Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.883{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8776DAB5F7FE3F61605BB622919ED438,SHA256=EBDB78D3D5B245DBD3277595CF3CBFA050ACD3BE9DF1F821519F1A9B580E97BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520744Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.836{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F9E8B1369002DEA10E11680C54489B8,SHA256=AA1A19D1979E00B1DEA51E880B5A80B1CA1035BDEE3463853479E0B3D73D6841,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425502Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:58.797{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=615A8E99F5EF6BC890B82BD55DAA759C,SHA256=E05E73D8E3214AB3C26019E135AA23B039ABC17744DCED141AAF0C930EE6D77A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520743Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A2E-6154-D000-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520742Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520741Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520740Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520739Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520738Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A2E-6154-D000-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520737Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.539{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A2E-6154-D000-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520736Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.540{5EBD8912-1A2E-6154-D000-00000000FE01}592C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001425501Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:56.242{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23793-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425500Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:55.990{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-48180-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520755Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.868{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5734532A173BDE7732D53388542DEFD5,SHA256=592D174B0FE6044E183802B98EF82057F3792488F9972AB98EDCF5EB677AF403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425505Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:59.829{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=497F0E604AC3E65690B2E441913AD0BC,SHA256=4560287D155923B64F1BBF968AFCAE128EECFDD44192CE59FAF0A0DD7170EB8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520754Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.821{5EBD8912-1A2F-6154-D100-00000000FE01}42244324C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520753Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A2F-6154-D100-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520752Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520751Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520750Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520749Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520748Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A2F-6154-D100-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520747Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.540{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A2F-6154-D100-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520746Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:59.541{5EBD8912-1A2F-6154-D100-00000000FE01}4224C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001425504Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:56.581{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-59514-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425503Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:59.016{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CF0C592FE6382E4DB983846F4F4E483,SHA256=32BD0C84A53F6F8A37418338B7AFE318780C8089F2ACBEED73EC4A8F7580422D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520766Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.869{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7036FE1510359D31E235B730873A3687,SHA256=80A72460DD2AA8D06BBF6E7CFCD01E23D9C56A0029510EB3AD8C7157730AB0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425510Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:00.844{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A2A76698DB87E07F0992B5552BDC8E9,SHA256=ACD8D35CDFCC39FB546B29F0256A21716E4BDA7B4A2917002A600E62608E8E1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520765Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.306{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28CD165548A740F9AB9BEC3F1A587CFA,SHA256=D056A23F20B756772735C726961D30061CF86028D0556292AFAF79556F3B58BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520764Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A30-6154-D200-00000000FE01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520763Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520762Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520761Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520760Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520759Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A30-6154-D200-00000000FE01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520758Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.243{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A30-6154-D200-00000000FE01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520757Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.245{5EBD8912-1A30-6154-D200-00000000FE01}3692C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001520756Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:57.365{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50108-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001425509Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:58.159{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-2022-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425508Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:57.706{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425507Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:57.080{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-54674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425506Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:00.141{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24F4F5256F1DB9FD3A3DCCED15F55CF7,SHA256=91BACEDA8F485E3EB70EAB7756E9C6216A8D010F0C62BAA5E433E81B072E5F06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520773Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:01.957{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CCC04507E6D793A984C2DE65F4EF69,SHA256=A17D26341827173922F563EAD3586359D89785B05CE0AE957F39A5873C871146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425516Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:01.860{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D89C80F13CC89DD717F36317616F50C8,SHA256=463E4F3279B6DC7340AB97EDCCFF4CE03579BF43A4A5137F89A46430B3929432,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520772Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.659{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14015-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520771Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.630{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50109-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001520770Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.630{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50109-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001520769Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.595{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13983-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520768Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.548{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13913-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520767Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.497{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-13878-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 13241300x80000000000000001425515Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:48:01.579{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x5414c076) 354300x80000000000000001425514Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:59.919{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49808-false10.0.1.12-8000- 354300x80000000000000001425513Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:59.237{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-8230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425512Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:58.846{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12166-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425511Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:01.329{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E772C41AF32100207D7ECD39DBF0E987,SHA256=0E16FA79EBAD971195852617D04145B554EC860746056B1D8BCB861990873CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520784Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.958{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E03BA165F3471E4E704D02543051609,SHA256=6F8D5AD7DA2B65C2BE7C950C41587156916D71274497F12BE5986F77F789D1C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425521Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:02.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D238C9FA42F65421DDC820A8FFCB548E,SHA256=2F3F5935921943F7FA891384E6C7D663B9F7518AD18D89335199B47E9FB444EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520783Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.614{5EBD8912-1A32-6154-D300-00000000FE01}51965888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520782Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A32-6154-D300-00000000FE01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520781Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520780Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520779Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520778Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520777Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A32-6154-D300-00000000FE01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520776Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A32-6154-D300-00000000FE01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520775Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:02.380{5EBD8912-1A32-6154-D300-00000000FE01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001520774Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:47:58.713{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14037-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425520Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:01.143{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24296-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425519Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:00.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14463-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425518Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:47:59.970{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-17991-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425517Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:02.485{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB36736D38860B6C2212F02E378CADB1,SHA256=3264B6C1B8831BD6DBC528F8CAD424F82A9277F6365E250CB8C346330C9A77B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425524Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:03.892{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0BDCD0FC7B4EB3770CE9EE557AFBCE4,SHA256=5F520AD522C9F513E205592DE94E23CF04DFC5B53F01419132445F8EE2452DFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520805Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A33-6154-D500-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520804Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520803Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520802Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520801Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520800Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A33-6154-D500-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520799Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.864{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A33-6154-D500-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520798Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.865{5EBD8912-1A33-6154-D500-00000000FE01}4576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520797Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.520{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F0ADD236EBABCA44010CA7784A9EE802,SHA256=37ACF9CBB1AD3735D81DF7BD3EFEB62A2A09FB26138ECC43B587065207B4D33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520796Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.396{5EBD8912-1A33-6154-D400-00000000FE01}47044960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520795Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A33-6154-D400-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520794Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520793Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520792Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520791Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520790Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A33-6154-D400-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520789Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.192{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A33-6154-D400-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520788Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.193{5EBD8912-1A33-6154-D400-00000000FE01}4704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001520787Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:01.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17708-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520786Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.890{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17327-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520785Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:00.760{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17110-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425523Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:03.657{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3E31C4C79864FDC3E4BE99F35CCDE6D,SHA256=26D974BB4E8CC0C2143C2BE926900A2BD8BE044D955004DB5725B16F27904CEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425522Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:01.441{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-20589-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425526Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:04.892{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEF273B1AB42A34DBEDB2F6DBF7859A5,SHA256=EBB76B3AE03F68B91C740A4DC7D243EF23B27BBDAFF68D741823378EF71981E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520808Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.865{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6439ECA22874F5335C69E4429872B8D6,SHA256=E795EFDCA1C2C355A9559334FDD7E9C7ECC89293A56A1A34157ED70CE5AE1FF8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520807Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.114{5EBD8912-1A33-6154-D500-00000000FE01}45762568C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001520806Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.021{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D343C66F1DC2244026A6566748381AE,SHA256=23F7493D242D643F675BC1CC839E90DCD398CEBC560A69205C6E0CA04475D360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425525Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:04.876{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=613950F8CB4AC220810B53BB8181AA29,SHA256=445A49617C62FFC2A2E9782C3A673BE5DA16E18CBC23316D0A7397D5C704670D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425531Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:05.908{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96ED4258FAE73B6E07011CB1DF9F68A6,SHA256=6A5FA67E3A9443FDFC7B5D72B8F6FB4B448F786AAAEF36AAD9624E1CFB98B8A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520817Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A35-6154-D600-00000000FE01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520816Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520815Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520814Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520813Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520812Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-1A35-6154-D600-00000000FE01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520811Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.177{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A35-6154-D600-00000000FE01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520810Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.178{5EBD8912-1A35-6154-D600-00000000FE01}5788C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520809Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.021{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A50708D80FFE9B8B8F8E4AED8D8CB4,SHA256=01BCBCBB24C180FE03A23DFB0FAC9F1B7B06E4EC1FE668C3DA2D2D34FC6A7E07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425530Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:03.544{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-36109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425529Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:02.561{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-27073-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425528Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:02.348{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-31526-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425527Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:02.315{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-30029-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425535Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:06.923{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93801ED3F5DF45EA848FB9935038C964,SHA256=3EDBB8E66C1D0946EB60600DD78A606DE7B6575EADCE5CA394673EAA075ECC73,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425534Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:04.693{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-41514-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425533Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:03.720{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-33490-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425532Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:06.096{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FF83DE08CB698BAAC2EF7D9E10C9D56,SHA256=6A94EDB200D509001C1D2608C8E1A7B780D3C062669ADEB8517201C3EB39AD4C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520826Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.449{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520825Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.325{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520824Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.240{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520823Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.191{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21683-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520822Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.137{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520821Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.091{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-21456-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520820Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:03.344{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50110-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001520819Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.193{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB923DA1617D8E824E3D2F76D2B3CBA2,SHA256=B370E2899212114B1D1F863A81BF1690EE7967C99FA78CC1AB4B9D54DD3E0285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520818Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.021{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C8CF68A77D43DCDB91CBADE2084871,SHA256=574CD2B61106F48FF6556911127790A086CFCE56D45C26C90F4AA14A931428AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425542Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:07.986{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32D61B093D1C52A226C139EEA13A0656,SHA256=0705644F67EB67C3107E8B15611E9060A2AA8A63B6987D8034F9FCDB630BCCC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520834Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.512{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23233-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520833Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.381{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520832Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.217{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22965-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520831Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.023{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22834-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520830Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.925{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22569-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520829Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.791{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22395-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520828Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:04.623{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520827Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:07.084{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E995F01BC506E71D838B4912346027D,SHA256=B1773284038DBECF6C72565BFBF137594488E6C229231FE8A20FFCF09129EF92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425541Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:06.000{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-47969-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425540Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:05.972{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-46773-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425539Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:05.841{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49809-false10.0.1.12-8000- 354300x80000000000000001425538Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:05.450{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-35038-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425537Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:04.893{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-40549-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425536Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:07.236{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCAC71B85B8F572EE37FCB428F1307E6,SHA256=51F607F31D7BF455E5F9DB336A31B908D803EA94C4AEDBB6B8D8A90FA1ECFF21,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001520843Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:48:08.929{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x58763a1b) 354300x80000000000000001520842Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.041{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23861-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520841Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23761-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520840Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23715-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520839Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.884{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520838Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.815{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520837Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.731{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23524-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520836Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:05.642{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23380-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520835Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.085{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=632B6B9F41C91DA6837FA8888E5835F7,SHA256=0EC2CCBDE115A7CBD100B474BBB8E5862C6A9792CC8F65364F60AF86C7B0C9F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425546Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:07.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-38219-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425545Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:07.279{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54900-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425544Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:07.049{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-53127-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425543Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:08.299{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5181DA3ECE25C32520DACDAE356E8D6A,SHA256=E680F56931F2F5CE4D8F76FA7A649BDE022785C00615228082326B6F9423BBCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520849Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.945{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520848Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.281{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24144-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520847Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.202{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24089-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520846Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.139{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24055-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520845Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:06.060{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520844Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:09.101{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E4EF45A992019B1C6D42596F51E793,SHA256=017E6631E0E47D91F15335E284F607D83A569E0B413B0D6113CEE35E39F255E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425550Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:08.416{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-1503-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425549Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:08.128{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-59412-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425548Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:09.455{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B0EAF9911D328DE1DAAAECE36B0C085,SHA256=3D7762257F737A1A9AABC640B448457479AEE7899926579C20F9B63D52BC2DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425547Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:09.002{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB9368FF10B378F81ADCB0D5111DD672,SHA256=6F5E862C187ACDF674C83BBF5EA5709D711AE89B7A04DB5AAC13A3649ECC7753,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520862Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.449{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26579-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520861Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.413{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26509-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520860Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.395{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520859Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.375{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50111-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520858Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26159-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520857Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.327{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26121-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520856Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26112-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520855Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.186{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25942-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520854Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:07.945{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25716-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520853Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:07.863{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25631-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520852Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:07.365{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-25085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520851Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:07.248{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-24665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520850Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:10.148{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04900C69547CD5BF92FBEE206ECDC452,SHA256=CA749502CD26809A9D7047189A4B79D87848FDB96FAAFE0F1E2FBF516A09C876,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425553Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:09.268{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-7251-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425552Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:10.533{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3624F2B388F0565165C21EBA3ECD9D73,SHA256=FB5C154D867FF28542EA4FC03859779B12A46B62ACF4735F9ACBB672FE585640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425551Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:10.033{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2935B346664851C876A216234C97B74F,SHA256=9A69913117FC5CC3A23221F291ADE4D8A8BEB05799B302A5FE3A0E418B4D364C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520868Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.929{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26757-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520867Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520866Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:08.485{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26615-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520865Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.195{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=952BB60D80DFAD1672A3B263A33FB4CE,SHA256=473B677F3ACEE86E89FC0C8170D4F46AFF86B32D9FCBB3B416DC6441B376D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520864Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.195{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6336174D3C8938D4B2FAF075EFCF1DB4,SHA256=D9D970604D09288D52DFF6E22080D821187277C47EF50D28C3B3ECCCDF17DF5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520863Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.180{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=032A4E17F43BC39CDE7B3143B4530141,SHA256=6665F5980771371CE574C7EF10CD427CF134F4A842FEDCF4E2FDED7449A93000,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425557Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:10.347{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425556Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:09.646{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7715-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425555Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:11.612{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFB13F15203DADDF8DAE948DB5BCE701,SHA256=96A80FF83B1BA85024AD0C344C8BED0C0BF61C5A2DAA71987C230EE8D4230C70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425554Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:11.065{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9F3E34E39388977304281EC7C69224,SHA256=1A24FD38117CBF30F69F167E9B86C8A042C0F30ED7D12A56B9AB10F67C1D8687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520869Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:12.196{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6AA9FFAF18AF153248C425C9FB202E3,SHA256=FBA873623F810D5CCBC2837E04839A38131579031F086B038B1A38092D3031BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425561Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:10.816{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13379-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425560Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:10.730{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-42030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425559Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:12.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3855E5244393468BAD310F20ED907A43,SHA256=DB440894BAD52C01C8810FD7E3F4BA0BED8D6C3E1053FD18907800381803318F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425558Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:12.065{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B18A32DB5AD08126B5B0FCD28081DA7,SHA256=F930C344788C3B67156E50A599531D1CF50562D9D5D78220D1B67F526601E364,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520876Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.774{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31173-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520875Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31132-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520874Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.656{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520873Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.636{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30529-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520872Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.592{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520871Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.544{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30471-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520870Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:13.258{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC03797C116496E07B95C57AD65F031F,SHA256=89F3B46D45DE316D9A0E9EF53447C8CAC9146E4DE1B23728ECD6627BBE6A9204,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425563Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:13.768{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92B5E8060858B963D061F48F8C67D388,SHA256=480B895BD003E432F4DA5C8B88CD05E5D394CCC8E77CB0CCD6D943A36C8552BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425562Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:13.080{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D43AAA9769358F057B47EB065945FB,SHA256=CB7E00FAF854DE4E7D2F87468868CE9ACD50CE63559843BECCB4FE2D22C95BDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520881Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:14.790{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=952BB60D80DFAD1672A3B263A33FB4CE,SHA256=473B677F3ACEE86E89FC0C8170D4F46AFF86B32D9FCBB3B416DC6441B376D9E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520880Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:12.248{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31948-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520879Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.810{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520878Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:11.792{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-31501-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520877Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:14.384{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3812C6EE938FE558DB81B6B98B7DFA9C,SHA256=409D1601BD1F9F78DFFF2AE1C88CE0C3BDA52051C5E5D99EC894A8B731206FBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425571Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.940{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EA106358990270FE0A2883267B9DA98,SHA256=312A2F2A271345A128B0A35744260C21B865E6626DBE351CC46F17A2CA2F1EF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425570Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.409{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425569Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.331{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=60E61830463EC2E774C991986AD9AAD4,SHA256=5982C9084F3009026DFB1C04E52C85D1E0BCDDDF4707E84D25B60B8B6AA28E85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425568Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.096{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9B67C6345BD5ECCBE0A8961B85EB20,SHA256=81EB72DFCEA70F1EF5E405CF518C8F8176A99DC85C20A0476867944F79521132,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425567Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:12.502{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25867-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425566Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:11.894{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-19132-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425565Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:11.810{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49810-false10.0.1.12-8000- 354300x80000000000000001425564Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:11.424{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-19555-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520882Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:15.384{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6199995456B103617E5144E588EC9A6B,SHA256=A69784D465F1CD789FE87A7FA683AA1C779B53BFB1A06424E8F89222FD207D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425574Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:15.128{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17A0F696686847FD99CDEBF1192C246,SHA256=1910C594DB1AF0D8144BE547584CA6A3392BF36F31F12E47A3926BEF26CEDF60,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425573Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:13.061{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-24880-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425572Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:12.919{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-45457-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520886Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:14.753{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35036-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520885Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:14.572{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34696-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520884Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:13.485{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50112-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001520883Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:16.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF17EB0182D3E14F9C3FDDFA2025AD0E,SHA256=2C65E2507C5D4FC453E1759D5E53B1A39834268B33A66FE72D847E4E77C6E5FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425579Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:16.143{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=217DCFA55C12EA25AFD18D4F2ACF444C,SHA256=7988C53B938D2F119C1AC5A82F7E899EF7EAA55FE5D9A5DAA6DFE2DB9E2CDE0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425578Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.424{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-31254-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425577Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.185{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49811-false10.0.1.12-8089- 354300x80000000000000001425576Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:13.651{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-32195-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425575Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:16.018{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7B683775EEC42DE64518031306438D89,SHA256=5D3088548A0BC7F8BBF206CB7BAD16DBE2A4A87F5A099706DA59E598D399766E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520890Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:15.887{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36032-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520889Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:15.149{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520888Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:14.987{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-35649-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520887Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:17.385{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF2138B0EBDC507B015796E849B3222,SHA256=1DB58C573C7C1F698DF93DB821538B469E6B6691D0E6ADBAF5B799E96599B55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425583Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:17.253{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6FDA632AC391EE80C235BCDA7FD1A47,SHA256=252A23D70917DF9623633CDE7B06D59635CCE3A19A870DD358C8F96F841AD7BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425582Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:17.190{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=625C17B2C4A163B8518FEACF2674D618,SHA256=6E6D3EE73B30B3E325FE4AFAA2DA3A2034D17FC35310A76428AA1D8C49BD4C24,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425581Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:15.596{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-37855-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425580Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:14.782{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-38942-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520892Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:16.057{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-36538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520891Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:18.432{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70E4DEDEEA8C594F86AFC7B621042144,SHA256=8E4785786968C12747DFF9324CD7E551EF36199ED19AC69533C628EB22F08715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425588Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:18.331{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBCC5872DEAB8BFE592E381CD8F36AD2,SHA256=BE29AAE04F7F79A14B048480E44839B7056B17330338C977D501F32462E0A7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425587Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:18.206{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843F766FD8E337B132AEEA4797BED4BE,SHA256=9788FCB47F606D193A79B36C7E15F73B5D922C519B748AFE293749ABBC3A7EC9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425586Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:16.683{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-43388-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425585Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:16.679{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-49613-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425584Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:15.960{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-45261-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520894Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.433{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB5BF0884B2441DCD473E5D6A47665D,SHA256=4CCC33A3786C0054D62E6C0103EA0BADD1209A52E799DE66C32975DF03843A59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425592Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:19.441{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C7C32F37868515BBD610BEC256B59C5,SHA256=F7362C841E7C8D2725F67EBD98AF2C166060BDCAD24640A95EE207C01F3ACD09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425591Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:17.065{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-51598-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425590Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:17.029{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49812-false10.0.1.12-8000- 23542300x80000000000000001425589Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:19.284{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5288D669DDE8C24993378B0E6103184,SHA256=816FCC62639097AFBF8B3B7E8DFB93E31BC4D770305D76EF2E7CFE10475A3945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520893Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.120{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3BAA8475C284E5120944C3E01EEBCC45,SHA256=EF6CBEB648EA830ED1FA4278F7FBFDF836D8528C3568CE76C867C86F8E4CD20C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520896Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:18.856{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-39775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520895Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:20.449{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6A946683087C8C166A08BDD6FDB3A0C,SHA256=653F23A3E474154C8A4D05BB13F93D7C792E8791A67607301050787293DF30CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425594Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.519{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B813367A171C933CC3D3CE4B586CCD0,SHA256=93CFA990D790D5660643A8A943DE49D08CC6F3D312381B7468DE486D6EEEBEBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425593Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.316{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431C798E79A3E0141614C8F06E8A8FF1,SHA256=66AF50E073DB9EFB358A0783543EDE1F35AA89E63B6809F5B01B3ED1D2913985,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520905Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.927{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520904Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.892{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41052-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520903Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.860{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520902Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.801{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40943-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520901Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.469{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50113-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520900Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.449{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40568-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520899Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.223{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40288-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520898Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.148{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-39906-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520897Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:21.449{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6199E7568B617C95B6451B9345BBED8,SHA256=433A43D25AC3AA64107EFCA7149535E866F62E5E07594F19B662F7BE8C209218,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425600Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:21.363{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCF62EFF641FB710242FC2C862EEF2CA,SHA256=C5F6017C2E9A6EED332A1619CF2D020A4B7B5E1CE6BE4F965ED291AD18A8F2B0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425599Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:19.254{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-5444-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425598Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:19.079{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-55573-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425597Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:19.042{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-53393-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425596Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:18.155{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-58101-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425595Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:17.893{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-49810-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520909Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:20.151{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41311-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520908Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:20.062{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41271-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520907Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:19.985{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-41190-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520906Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:22.470{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B2A891E792CBE553E1387BDF14913F4,SHA256=F9E08E52A87FEDD42D5D6C9E3CDCF2B4861C1725D84B74898C588E4CBB2D4A55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425651Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.489{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B199E69E8BA63E06EB40ACEE14CE56D,SHA256=D10A934FA90B86F56B4B863FE3472C93E4629CCD3575826E282F227CEE9742D9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425650Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:21.005{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7135-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425649Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.983{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-7003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425648Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.960{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6835-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425647Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.944{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-15038-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425646Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.923{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6702-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425645Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.907{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14828-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425644Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.900{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6465-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425643Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.870{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14620-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425642Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.860{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6351-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425641Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.838{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-6149-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425640Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.831{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14402-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425639Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.801{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5937-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425638Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.793{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14279-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425637Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.771{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14161-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425636Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.763{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5816-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425635Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.748{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-14042-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425634Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.741{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5656-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425633Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.726{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13923-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425632Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.717{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5498-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425631Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.703{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13812-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425630Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.695{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5237-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425629Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.681{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13709-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425628Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.658{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-5097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425627Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.657{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13566-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425626Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.635{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13346-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425625Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.630{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4904-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425624Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.607{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4782-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425623Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.598{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13224-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425622Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.583{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4610-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425621Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.575{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-13076-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425620Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.559{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4409-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425619Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.553{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12943-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425618Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.531{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12805-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425617Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.524{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4317-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425616Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.508{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12674-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425615Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.502{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-4116-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425614Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.485{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12522-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425613Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.477{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425612Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.462{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12323-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425611Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.453{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3838-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425610Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.429{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3628-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425609Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.427{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-12110-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425608Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.393{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3399-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425607Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.391{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11987-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425606Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.368{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11778-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425605Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.356{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3303-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425604Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.334{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-3200-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425603Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.330{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-11654-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425602Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:20.311{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-2935-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425601Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=210FCD1C75C8434A67F3ADD64915BA66,SHA256=CBF66D7D25A860AF215A6BBD8A06389ACB78439B02DDCE322ED903B1A4CA35D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520910Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:23.501{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F28D9675975B43F16D944EE50A0DF9C,SHA256=54F606BE88E8AC27A3F7659149C263721A5520909AEFB9528EADC925AF5179A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425654Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94F9099903E504CDE3BA129609187AF,SHA256=6C7915993707EEB3550B286E9E8C2B844C166AFC1DBB6E5D5A8B03F74E6D962B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425653Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.085{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21780-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425652Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.063{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21545-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 13241300x80000000000000001520914Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:48:24.924{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x61fee56b) 23542300x80000000000000001520913Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.565{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=432E042C9397344CA5FEC707EBBBD94F,SHA256=510B67FC35BD0D380C305D851396AE06C28D8A3105EEB670D6813B2863169576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520912Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.565{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E34EC162E7FBBCEE7DE7EF5A253DC0,SHA256=56195718180772AD4D1655F0192B656EA5C02A6471E5EA25E4DEE577D0EFC44D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520911Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.565{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=51CB652BEF99AA5009F8779FB39D296D,SHA256=C12862730D7A7FFA84B369C9E68824C425DD3F09DC6E25080106E94779D327A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425685Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:24.770{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBFB24FCAF92551A0D06C040E3EA87B7,SHA256=4AF175D79A99C7D76A083E5DF03398F0B6309EFB8A579BE67725CDDD8B56755B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425684Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.886{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58053-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425683Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.809{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25897-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425682Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.786{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25769-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425681Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.776{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58042-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425680Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.763{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25619-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425679Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.741{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25373-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425678Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.702{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25218-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425677Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.692{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58011-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425676Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.680{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-25097-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425675Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.656{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24974-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425674Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.642{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-57506-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425673Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.634{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24787-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425672Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.596{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24678-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425671Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.573{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24534-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425670Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.550{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24328-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425669Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.513{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-24230-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425668Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.512{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-56765-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425667Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.490{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23990-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425666Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.453{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23766-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425665Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.416{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23563-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425664Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.380{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23367-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425663Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.343{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23204-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425662Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.320{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-23086-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425661Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.298{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22960-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425660Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.275{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22836-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425659Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.252{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22646-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425658Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.217{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22266-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425657Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.180{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22109-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425656Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.132{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-22030-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425655Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.107{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.15-21886-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520915Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:25.596{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45403B872F6ED969D5A44C531FCB6A5,SHA256=B6F43914BF85B9AC3AC37985BA88A456B8A5026B16CBED8EEECD8052A36B240D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425694Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:25.801{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC7E0FCF4DCEA6EDFCF55D971D4C4EB,SHA256=3CCF6C493ED5DAF3B16EFC84A43B5FEAA17F916D2BAC41E7B6603452197F4A64,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425693Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:24.025{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59485-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425692Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.951{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59381-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425691Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.866{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59246-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425690Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.806{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58447-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425689Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.724{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58263-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425688Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.405{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58147-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425687Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:23.096{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58095-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425686Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:22.997{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49813-false10.0.1.12-8000- 354300x80000000000000001520919Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.241{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47538-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520918Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.207{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47437-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520917Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.165{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-46862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520916Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:26.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5EF80EDDDB032A989D012E372518565,SHA256=4BCB0DD18F3C63838EEDD575B94D5EA17A3391D37DF905B43E6ACD8C6DBE2958,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425697Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:26.946{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-006MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425696Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:26.802{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C4EABF465E77A17BF8E837A6F248ED3,SHA256=5D17B4EFE165601B8E007EAF0A59AE97A7AC44571FE1571CA3B7668D4C41E3A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425695Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:24.125{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-59695-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425699Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:27.951{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425698Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:27.809{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6BEA91EEB9F99A82D1045F0386E9FFA,SHA256=8831CE7BB0CAFD1329A19B1BE2DAE8C4ADA9244133287CED41C4F33215239F10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520928Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:25.458{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50114-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520927Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:25.448{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48359-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520926Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:25.110{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48140-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520925Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.824{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47966-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520924Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.634{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47820-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520923Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.494{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520922Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47622-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520921Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:24.290{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-47593-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520920Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:27.675{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF4492539C3BC1495604AFF931824DF,SHA256=2C2C571E4A9D359E2F5E75E12A91A09AC0F12C7E5DB588C7E32580870754C4E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520930Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:28.878{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=432E042C9397344CA5FEC707EBBBD94F,SHA256=510B67FC35BD0D380C305D851396AE06C28D8A3105EEB670D6813B2863169576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520929Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:28.769{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D880F4CB9FF7FA37E271584166C8817D,SHA256=555F4C7D77316F1E8FF78D2F5186DE31B2AC0FBD86BF4615C3E30CDF4CB9BF8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425713Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.811{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E652F6099ED50C0BF0641933EEC34E03,SHA256=930640F893241118397F2D6C2FEB0E9E38F59CD60E5B02493AA2726C1DE340DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425712Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A4C-6154-AB00-00000000FE01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425711Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425710Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425709Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425708Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425707Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425706Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425705Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425704Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425703Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425702Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A4C-6154-AB00-00000000FE01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425701Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.545{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A4C-6154-AB00-00000000FE01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425700Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.546{69CF5F33-1A4C-6154-AB00-00000000FE01}3168C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520940Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.769{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1E9AEF392C545CD2E652576875E15D,SHA256=1587BA8D63CEFD4AE269DD3FB9B88B2466C5270A987942A811C20D925BDC7FF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425730Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.811{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A922B234E0E79ABC0EB7775FFB0932D,SHA256=FBDD0A23C56B90DA3B030B73D2417434EF9BBEC0702C3C6185B57F2957345748,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001520939Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.222{5EBD8912-18AC-6154-1600-00000000FE01}12721792C:\Windows\system32\svchost.exe{5EBD8912-1A4D-6154-D700-00000000FE01}2368C:\Windows\system32\verclsid.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520938Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.222{5EBD8912-18AC-6154-1600-00000000FE01}12721320C:\Windows\system32\svchost.exe{5EBD8912-1A4D-6154-D700-00000000FE01}2368C:\Windows\system32\verclsid.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520937Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.207{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520936Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.207{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520935Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.207{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520934Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.207{5EBD8912-194C-6154-9000-00000000FE01}28444332C:\Windows\system32\csrss.exe{5EBD8912-1A4D-6154-D700-00000000FE01}2368C:\Windows\system32\verclsid.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001520933Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.207{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001520932Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.191{5EBD8912-1A12-6154-C500-00000000FE01}45923200C:\Windows\system32\cmd.exe{5EBD8912-1A4D-6154-D700-00000000FE01}2368C:\Windows\system32\verclsid.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001520931Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.206{5EBD8912-1A4D-6154-D700-00000000FE01}2368C:\Windows\System32\verclsid.exe10.0.14393.0 (rs1_release.160715-1616)Extension CLSID Verification HostMicrosoft® Windows® Operating SystemMicrosoft Corporationverclsid.exeverclsid.exe /S /C {00000001-0000-0000-0000-0000FEEDACDC}C:\Users\Administrator\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=7DC3CC2B93D1749D1AC1C7630853FC3B,SHA256=9C95EF6902DCD9B9C825A44142D3E7E6AF3F265FC76DA38726DEE98B0C7E1127,IMPHASH=A98EFA4EA63A30E0F4AED01804CF8D77{5EBD8912-1A12-6154-C500-00000000FE01}4592C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x80000000000000001425729Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.530{69CF5F33-1A4D-6154-AC00-00000000FE01}3316752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425728Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A4D-6154-AC00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425727Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425726Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425725Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425724Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425723Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425722Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425721Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425720Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425719Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425718Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A4D-6154-AC00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425717Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.327{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A4D-6154-AC00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425716Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.329{69CF5F33-1A4D-6154-AC00-00000000FE01}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425715Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483D9A06493ECBF4BFDD0935783A54F9,SHA256=B39BFEC3F75D8C49DA3650FA27AD5E331FE6A26156BE8BF8DB8CD6EF758692F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425714Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.139{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF30CD68DF11ADEE6D9F13C7AC8D2B0C,SHA256=D08EC4B3F6605EBFBC4C40DE185A8C33FE5C73FAA8C0F6F60992DA707C046357,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520942Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:30.770{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051FA93032F6464AAF955BC106874A41,SHA256=7307A4243B49C47D11694E977D116F098D5A75AC883386B617B3824D8792EA44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425746Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.827{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2798443B53CD08E8932B111652073E07,SHA256=FAD6A49F6F2F817239B6AC5CA94CAB222BCB83E5D64AA0BFEF74692D7CF0E175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520941Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:30.191{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D9C2EFB6965CECE3CBEF886BCE8D872,SHA256=3C3C1426F8C961D7A18C87F9A7D491A7D909F8846E0817DBA0F1C2F5BE70D2C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425745Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:28.928{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49814-false10.0.1.12-8000- 23542300x80000000000000001425744Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.389{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=483D9A06493ECBF4BFDD0935783A54F9,SHA256=B39BFEC3F75D8C49DA3650FA27AD5E331FE6A26156BE8BF8DB8CD6EF758692F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425743Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A4E-6154-AD00-00000000FE01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425742Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425741Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425740Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425739Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425738Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425737Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425736Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425735Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425734Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425733Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A4E-6154-AD00-00000000FE01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425732Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.342{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A4E-6154-AD00-00000000FE01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425731Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:30.343{69CF5F33-1A4E-6154-AD00-00000000FE01}2468C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001520944Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:31.801{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=191B291C8FB337AE6EB967689D29F2CF,SHA256=7635573C3ECE19F193E07A5ED2EA47340E64C2B23ED1D9C88F4D7940848FB1BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425749Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:31.843{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BFE2C8E44DF16ADB62A55723F36F84,SHA256=D6E86BA4BB10239BACA52FD5C6D568E8C30BCDC584D3D0404862D23AE3867BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520943Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:31.301{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92484D62EB629CFD0543409B525E60DC,SHA256=5DDD5507D35A53268D46180FB63D8DCF21A9E9159FC8A78EF8313E242FA771C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425748Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:29.489{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-7327-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425747Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:31.515{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=569E1B42408C35557A98BB59823E5D64,SHA256=583156EC71EBEB16C20923D53B23FB361B7E7FE59FBF142B52C355CBE0CE5577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425750Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:32.859{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7810467EB07C59EE762C1B24F1AF082E,SHA256=E489C1EF63A45DD878526E56A0FD70EAA7484E317F4135E149291B7180E42F05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520948Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:32.380{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92D1AC886FCA55C06E377F2386AC8A12,SHA256=3CF1A9278E433D20FEF8AE4BEA4427F37FDCAAA344994BF134F6E9B2A639BC7B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520947Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.562{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1652-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520946Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:29.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1531-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520945Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:28.582{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-52603-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425752Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:33.906{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CCE9D37F4225B69E4D8650D821447B7,SHA256=210590BE444877BAC1A9B7EDD9167579DA59FA9BE0043D6C099BC834EB48F412,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425751Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:31.832{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-10684-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001520951Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:33.443{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03C8795722C191FFC9DBB2D439BFCA16,SHA256=E88ACB9CA1C5791C7FB5E56AC07CC7B9B675A13BDDC5ACA05EC8F1C938DF354E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520950Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:33.161{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2F76046F1563053C1B3461239445D915,SHA256=C2185F48B44678FDC91991ABECBA66A3CBF03E3A872378D0558EA2F798CC7999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520949Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:33.005{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E91E0E438FD29EAD7434F66F89AF1DE,SHA256=1216FA2A096A88C4701BD5D2DEFC6E01DB384C2B8B5EDBFF1CAD97D11ED7225C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425753Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:34.984{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30F0977B2DF17FC57A376E201900F699,SHA256=C056830D434DE82F9DD3C19A2EECCD8DFC3DA38F8A1C40DC380ECBB3B81B441B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520957Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:34.552{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E8AAABB5BE9C8707EC9F250C55314CBE,SHA256=16351825A29811880E84782A3BBE2489A9E9F2A65A6C105D9F2DF83FEBD510D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520956Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:31.713{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-10736-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520955Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:31.443{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50115-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520954Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:31.174{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-56178-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520953Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:30.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-6196-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520952Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:34.005{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4939ACD3E3F0BE7C6929DCA52E833E4E,SHA256=290FAAD8CB93DB951E86554D7A439B5BD32B940E6E469DA0C4570BCC1FE7811A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520959Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:35.631{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC818305D4F0F070AF96575F78518B85,SHA256=62D53DABB24266D9A22AB592B61B6B6071E3AABEE3F6CFA2D9C757C8C068253A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520958Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:35.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B43B0A40FA97BEFD7D37F348D298C7,SHA256=737676B1F8540B0D9A4B602EB0F6DADF3A2780BD519B552D2583ED75C3EFE90F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425754Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:35.656{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6004FFA1BE4F0236905D337B8B853A0E,SHA256=0F201E551B5A2A54E094E1B56A8134DB0D5D8C20C24D2282FF701046057BC624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520962Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:36.725{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=07D5AC7347E3AA3EC227919CE5151E3D,SHA256=41851B1F6706D7C4AB32105FECBA2F8A6FF63F78914C1FF77350B0ED8FF703CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520961Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:32.790{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-15200-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520960Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:36.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE2E1C55EEA722ADCC84ED1C649EE056,SHA256=2038F53167A6860577589B65464F5835331865DE1C2B6007418CBB2E33D9A3B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425756Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:34.882{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49815-false10.0.1.12-8000- 23542300x80000000000000001425755Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:36.000{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6663C844BE2AB719A3132DA504E3715,SHA256=AE35535B82B2455CCDB1B4DCA4312CE94971E0A9AEAC9FD2FEC7A5A3D6B5EC41,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425759Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:35.727{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-15015-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425758Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:37.781{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C811F930526C5DA73A9489AD145EA9B3,SHA256=0B335235D846B989EF6E9899D145BD8855987992D17E4D495798EB6CAE9871E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425757Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:37.015{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACE253F7F184E13A373278CB4EB8B3FF,SHA256=5566C72E3B2F711F760586FDB4BD777CB422CA818CCFD67ECC91CEC9195D0950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520967Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:37.803{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=48574F48BEC0464D97985EAE029DCBE9,SHA256=923A3FA4780E74738C5DB9397E4CAC0AAAEC38E84ACC2AB8AB7ACAE74D0447C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520966Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:34.975{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-24238-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520965Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:34.786{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-59724-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520964Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:33.885{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-19749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520963Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:37.006{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10ECD3EB0662498BD54275101E8B02B5,SHA256=4CB347B8E2A63030019AE9F406E78B271A895679EAE4F260887E20365B74C02E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425760Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:38.031{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE7038AFAFE44CD077AE89BC78A9E8A,SHA256=537B568DEBEF963169A56074DC30230FFE11D014F77EA37E4D210F3AA2B94F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520969Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:38.944{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F053A0F06FF67BDF8067AD40960A157,SHA256=8389BD146663A9F03086BEA9E43D894DF7E8F95E4231C51FE5BB66FF2382F57B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520968Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:38.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431A86D813232DD5A61CE7C2660A660C,SHA256=75E32E16C7EB18034B0E8AEAB08952DF637CAE311013E0A7C7F19B6C7A2A365A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425761Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:39.078{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=431DB6AC64B1679591077923E570035D,SHA256=7ADEB86888FA55D994A9F04E5DB0588D3EAF46C4EFE1BE3941CA099333BABD94,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520973Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:37.163{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-33493-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520972Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:36.537{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50116-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001520971Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:36.075{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-28854-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520970Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:39.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC195B532C0249483749AD63F97A582,SHA256=9473DB9262E8E24D177B2CE583870606ABBDB8A1A48D089E45ECF4050F20AA1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425763Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:40.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4DEF09F47EBF5C0979EA9219E91038E,SHA256=C161352A9F303C8645110F4930849EEE30AE9B3B9919551210426CE47E946EA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520975Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:40.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAD06F635A34012A4E81727926CF2458,SHA256=2A5C1CFCC0E27403657FC865B3B4F7A612832C00E078931C350D3AB83D33B83E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520974Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:40.007{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02B3E38DDA040E20E0B7C56608E262F9,SHA256=7ED96AF7528753C8F658632592004EB47FC9F678322004BEB4567A934002839B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425762Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:38.377{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-19196-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001520978Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:38.276{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37864-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520977Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.101{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1AA4407A4E46DBC73C4D6765260D648,SHA256=2EE97A85F3263CE6F478EA2F673749C51548EBB204C4E3723DBB571ED9A5F4CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520976Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.008{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA10B60CC320D9550A14213828A354B,SHA256=19AD708CD19078ED9AFA1E79BB2D9632F6EC2FC574E6FFCA211A41286471EA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425765Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:41.844{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B90A44B0B3A7303C2AAD51D1ACFED4E4,SHA256=578B54B124624EDA6BDB6680BF0A1222F960808298F01E9A217AF1E16E6F4881,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425764Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:41.110{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6C0D7D7389C1B6C71CCAF90E280A6C,SHA256=AA9881D383069C7BDBA279D4FB416118CBADDF577BB05E15C7D11FFF80F5236A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520984Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:39.865{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-7302-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520983Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:39.354{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-42787-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520982Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:39.054{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-24775-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520981Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:39.031{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-24623-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520980Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.195{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB91E6ADB611FE9A4A28B45D0B90FD0B,SHA256=E8442C5FCD339B964DE3562B03D20CD7022F04FA90B575A9A66A80500047245A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425767Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:42.141{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED55085D6D160C0F1B940A26055F195D,SHA256=984AB5068889115AFC680A52AFD03D6B24A2292927009935BEB6E463F0F39B3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520979Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.179{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F258F0EAB8C5293DA937C012DF9C64EA,SHA256=12AA9D75D1D753D4590F08EDDAAF8089D77C301FD74912EE8799A6369E432F19,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425766Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:40.038{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49816-false10.0.1.12-8000- 23542300x80000000000000001520991Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.727{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F6838EC0CE2BEBC0251940950C53499,SHA256=B36B1469DE1414C3297DFCE4B77713494C7314F2BEC177D82C59797C690E9BC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001520990Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.532{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-51946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520989Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.509{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-51847-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520988Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.244{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36656-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520987Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:40.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-47321-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520986Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:40.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30559-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520985Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.430{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=752E2A33F31B706B8252049422FCBFB8,SHA256=57C62584F33251426E14E69FF9A88C44665051A30003D98D7FB2F7CE6BC7D0C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425782Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.751{69CF5F33-1A5B-6154-AE00-00000000FE01}30563020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425781Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A5B-6154-AE00-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425780Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425779Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425778Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425777Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425776Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425775Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425774Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425773Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425772Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425771Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1A5B-6154-AE00-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425770Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.501{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A5B-6154-AE00-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425769Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.502{69CF5F33-1A5B-6154-AE00-00000000FE01}3056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425768Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:43.157{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87F3668046DD2F8FA70EC05CBACEDB17,SHA256=0F56D2339FDA38BC646EEB772B995E1BA4203946895E0DF628F58CC2528425FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425812Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.845{69CF5F33-1A5C-6154-B000-00000000FE01}2492748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425811Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CFC72532E631BEAD6CC89F046C9ED9F4,SHA256=6DE5D30113950EEEF25A3EF0191C226D6A18E7ECB9AB06E5C35EEE6329D9A788,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425810Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A5C-6154-B000-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425809Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425808Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425807Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425806Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425805Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425804Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425803Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425802Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425801Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425800Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A5C-6154-B000-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425799Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.532{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A5C-6154-B000-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425798Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.534{69CF5F33-1A5C-6154-B000-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425797Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.439{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C031E80E208AD1890C796BFA3CB49DD3,SHA256=4666C8313A2FC414C2D29AD07886E467B1D96A1268E0DEAB2D155005790D2485,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425796Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.251{69CF5F33-1A5C-6154-AF00-00000000FE01}7522756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001521025Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.836{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03ACBE641C1D59D8EA19EE81B4B91CC4,SHA256=CEF79EB00A736AD0027760E4B528D086E9E0D1D3A284151A1262EECEC71823EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521024Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.630{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44240-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521023Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.607{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44127-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521022Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.585{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44016-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521021Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.562{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521020Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.538{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43759-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521019Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.515{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43632-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521018Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.493{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43520-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521017Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.472{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43336-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521016Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.458{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50117-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521015Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-43195-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521014Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.420{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11287-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521013Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.412{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521012Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.376{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42841-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521011Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.354{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42665-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521010Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.354{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11223-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521009Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.958{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53667-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521008Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.920{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521007Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.897{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53481-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521006Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.875{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53381-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521005Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.852{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53301-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521004Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.830{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53205-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521003Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.808{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53115-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521002Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.786{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53012-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521001Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.764{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52933-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521000Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52782-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520999Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.705{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52644-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520998Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52542-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520997Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.647{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52472-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520996Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.625{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520995Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.603{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52191-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001520994Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:41.566{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52044-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001520993Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.446{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0AE53CB2164336EF334F4A2E2151F3,SHA256=EB825258585F1A3AD30C20002508D796D7FD2164D634A41E8A76D896DF952BA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001520992Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.414{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425795Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A5C-6154-AF00-00000000FE01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425794Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425793Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425792Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425791Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425790Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425789Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425788Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425787Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425786Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425785Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A5C-6154-AF00-00000000FE01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425784Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.032{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A5C-6154-AF00-00000000FE01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425783Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:44.033{69CF5F33-1A5C-6154-AF00-00000000FE01}752C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425828Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F24A9274F31AC0F0FDBD0CFF333D7635,SHA256=6840FF026FBEEEBCE5545B18707C3C123FEB87D32F79AA4391CD01E57F48BACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425827Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.673{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=284FB4CA00A82DC5BA07AF9198E85216,SHA256=FDA55E53C1A2651559FCA03E886C7C88DE28AE40935329A7E266EB1FAFB04332,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425826Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:42.503{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-23950-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001521062Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.725{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-2199-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521061Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.724{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50118-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001521060Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.687{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-2104-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521059Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.665{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521058Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.628{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1796-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521057Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.591{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521056Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.555{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521055Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.533{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1375-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521054Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.492{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521053Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.470{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-1100-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521052Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.432{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59968-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521051Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.409{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59803-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521050Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.375{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521049Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.341{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59552-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521048Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.319{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521047Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.281{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59303-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521046Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.258{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59212-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521045Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.236{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-59071-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521044Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.199{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-58895-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521043Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.161{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-58752-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521042Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.123{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-58611-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521041Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.087{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-58433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521040Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.050{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46385-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521039Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:43.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46245-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521038Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.991{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-46125-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521037Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.969{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45922-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521036Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.932{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45799-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521035Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.910{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45587-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521034Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.873{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45422-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521033Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.849{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-45170-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521032Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.821{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44914-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521031Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.771{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44853-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521030Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.732{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44703-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521029Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.695{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44591-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521028Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.674{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44482-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521027Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:42.652{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44374-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521026Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:45.508{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B05331D3D96A5DABFA623EE66B99F5CE,SHA256=53E8F986B3D01EA61828EB406591F65582A38DCF7F744E7A0D01D8257E72C685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425825Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A5D-6154-B100-00000000FE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425824Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425823Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425822Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425821Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425820Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425819Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425818Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425817Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425816Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425815Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A5D-6154-B100-00000000FE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425814Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.048{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A5D-6154-B100-00000000FE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425813Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:45.049{69CF5F33-1A5D-6154-B100-00000000FE01}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425829Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:46.501{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B66B0E6324E1BF16AF5478172D7ED6A,SHA256=423BD19D9E4B9640D7D3BE48C0280EB6573BE687902C0F4C4A7CBE345BB63676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521069Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:46.649{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4822704B672E223AB505328573D2703B,SHA256=B9FD389FB2852D20AFB0967F7A5794370873E9C3A5B109892A3B6F6BEC0667E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521068Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.280{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53101-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521067Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.259{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52897-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521066Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.222{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52701-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521065Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52591-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521064Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.166{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-52454-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521063Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:46.212{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50158AF289E2E190B598147350D5FD26,SHA256=5D76F94CF2EE6C78C6B3FF4C829145EC053256D34512E251441A24846ED14F9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521076Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.603{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB07CF83D6296790363EF2AFB0CED849,SHA256=65013E32AC1C4DC313AD7C7539BC9865B69161DDCC8010DB2B724EBBE3EAB119,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425831Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:46.006{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49817-false10.0.1.12-8000- 23542300x80000000000000001425830Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:47.517{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84DD66914754601D2837959962AB603,SHA256=C913858626E0238DC17A7B1071279F876F2CFCF96BC747513B5FA4D63D12C8C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521075Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.838{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-7083-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521074Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.399{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53729-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521073Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53595-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521072Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.340{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53436-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521071Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:44.317{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-53232-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521070Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.290{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74F7CA0C7D61EFB7757A7017972A007A,SHA256=AD61D9994FE47587F5AD665640C15EC2AE7ED75668BC33AFD78A286080BBF036,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521082Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:46.619{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-7135-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521081Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:46.115{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse47.181.68.46static-47-181-68-46.lsan.ca.frontiernet.net37526-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521080Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:45.916{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-11676-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521079Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:45.542{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-1208-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521078Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.603{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4D908B9312DA3F93B3F81EA7EA6F3F1,SHA256=C77D0768D8A271ED95C9E81BA7B8B8137A8D9378E2C3A66C84D36799DCF21EBD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425833Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:46.584{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-29803-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425832Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:48.564{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15C011CA290D5F99FAF7579FEA5E987,SHA256=F556DA1E4BF9818274D3F1DE3ED913B01CC0B4931A4703CEB6E9636ADFEC03CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521077Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.369{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04A2726C62A31CBFDE222B0C9B2DA238,SHA256=DC02C02CB7AFD8D693FAF7EDE3013705F25FED3ACA96A6889487CA7D437570F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521094Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.806{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17116-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521093Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.788{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17082-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521092Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.769{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17066-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521091Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.738{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521090Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.711{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-12958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521089Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.635{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17000-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521088Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.569{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521087Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.456{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16888-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521086Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.270{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-16687-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521085Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.133{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-16509-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521084Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:49.666{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6627FEBC79812C8B267E0BFA16CA0CF8,SHA256=97160228A16DFB15AE6D489825B7A080AFD8FD8496196A4614F5985213110691,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425835Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:48:49.611{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x70b5e344) 23542300x80000000000000001425834Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:49.596{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB270914ACCE33391A433913409C366E,SHA256=C44B63633A1BD9E9D97527E56E5330EFE71DD86805C6289829C3C8475438E81E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521083Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:49.479{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=887CE987F7F4EBDBB064FEBF1B7CCD56,SHA256=F18D4DFCBD07AE1FBC547920114A5FE056C2D3E411BEC94D5BF27049F0C281B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521100Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:50.885{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97F978E1EF66648EF3C79B647799281C,SHA256=D89376070977D29BCFAC9B0F7B5EBB125F68FA364949F98804142B542DC62121,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425836Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:50.627{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1FED8869AFA155AA5F74CA19B871FBB,SHA256=AD2E9E2CE21CEBA04655CAFC093BFFB249C57E718BAF4B5A59277C90DD3A652C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521099Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.349{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50119-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521098Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.309{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-17660-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521097Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.244{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-21085-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521096Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:47.989{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49860- 23542300x80000000000000001521095Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:50.573{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4B57FA5E7301E3E32B0F5FEB9649892,SHA256=B3F3FA1AC952E897D79E3468E38437ED6BF177B0EC4B4039D1E044639C38545B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521104Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:51.886{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=969E93546857E73A06BE8E507EE6E3CB,SHA256=77E2DEC15BD77386995CB9DB7F0FEEF23B0DC790F53FBB89E2F39FAA5FECEC89,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521103Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:49.334{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-25652-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521102Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:48.822{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-18951-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425837Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:51.658{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8593A809F92CD692868505CD66459B2,SHA256=F07D6331607B450E2FB329FA9995E86A689AB195CE51FA0E7DF11466B385445D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521101Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:51.651{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84933E7B00963D5380C37A39ED151F7C,SHA256=0E013E4D9ECB7EC7972C2EA16A3976F2A8860BDE4FB69FD9F5BAA5D0DB3EA0F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521108Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:50.533{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-30322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521107Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:49.901{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-24797-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521106Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:52.902{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D3E3CB7B74EE36D40D1E63C3C638179,SHA256=2F96AFF14F7B1FE783C187B0409376E4F3EA39D5C46A3614CAD6367484BAFF56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425838Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:52.690{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D7DEB548A26A322A4F081631610529,SHA256=F8A278A98E8BC34C22CF26A48A5766386D9BF6EBBB3F89F6DDF85837B8F45EAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521105Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:52.776{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E7743A519F6DB06179A7F089EBA866D,SHA256=6D69CB053975E092BC1BDE62C6F043DE3877ED34CD087B20DBE63213BC3036AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521112Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:53.964{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B12074F003B8A74E80482976D3199E9,SHA256=BEF852BE088DF4727EDA8CA772D09045E5F85B588367D4FBBF70E776FCAF5F0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425841Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:53.721{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB19221A6A5DF986CD8A930E5F602756,SHA256=2345D4FBC3FDE6D625632A20223F3B70E7A692D7BBDAAEDD46CA0F35EEA71D7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521111Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:51.649{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-35172-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521110Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:50.993{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-30657-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521109Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:53.886{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B34B50C4EF21DC072EE8C6C0D593C83,SHA256=E71EC634497299B77A0C60D9788731039C4EF5CBB90A3FAEF61040CCD1966850,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425840Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:53.127{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EAF9ECE85E532330D618DD87B7283DF,SHA256=03D2FE8B27CE3AB5BE3B84C4868FD721FA2A34CDC9818A44AB53F9820D71CE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425839Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:53.127{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2FAB78471BDC2AFF44BFD66C6B894283,SHA256=C85BE2DB5FD02FB93771311D9F78A7DAC0B9559E366CC2C6D46FA43D9EA89A43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425842Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:54.753{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254127693767BF434DF32DA738BFD97D,SHA256=D94915C5A7A6A621696D9325DF4AD40BF6E30B4EC4DA451CA7936E295EA35930,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521114Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:52.598{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-23334-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521113Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:52.117{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-36849-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425845Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:55.784{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=069B175DACF4C1C5F3745B96A0738B08,SHA256=4083F1A5447064C9E9457B8B1248F14447F76B8344902EF969F3B91C667280BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521119Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:53.396{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50120-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521118Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:53.246{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-42946-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521117Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:52.742{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-39602-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521116Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:55.090{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC3976B765D00D0C3964C905650BF477,SHA256=4DFD07C3186CB8539591B5B8084E865B2E28FF7A32C88DB07D78D51CDB2DFE86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521115Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:54.996{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E05B15B9CD4815873847B854CA7FEE,SHA256=55BC7677CE96D100769FBD2B9CEA223F45E01E27A5346AA5F00531ED56D30A01,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425844Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:53.398{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-38069-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425843Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:51.975{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49818-false10.0.1.12-8000- 23542300x80000000000000001425846Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:56.800{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9410072AB5C0C126974EF19A452148,SHA256=D7E69F4F32D223890C614C0E1791975BD902BC2A66D04E5652390491883CAC66,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521122Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:53.853{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-44393-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521121Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:56.153{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87846B2120B8D02BAF8F77B5250BEDC3,SHA256=3C5B3C474EA6AA9F876C93EAC285AF73A97E5C669379DEB91D3AAA2FFE922BA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521120Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:55.996{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAAA3FCACCF7C3C119A35636900BDF35,SHA256=616F0F892889F09B2C2553676C8E744FDEC6474651B7EF8325F25BDB1967DCC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425847Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:57.863{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92563995317615C622D78FF9195EFCF4,SHA256=3FC9060FADDB7A0B6363C8F17DBCCC55C159A0F1CBE5C793E40C2B8C8C554FFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521129Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:56.011{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-53523-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521128Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:55.494{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-54955-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521127Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:54.931{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-48855-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521126Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:54.416{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-49242-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521125Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:57.485{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\respondent-20210929074147-006MD5=A9A42281E5AC80C7384A9CB787C868D0,SHA256=3FA67950307563E8508E097058F58FAD833FFA00CAA097776E12802F7A654FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521124Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:57.248{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BAA937D807D03CB423204D56608FF1F,SHA256=793DEB991B678C1206BC5EB5870F454771335B964560D8C43BDE29C62058834A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521123Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:57.076{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28814737AD59095FC00DB6D26BE4FA60,SHA256=B2A4622A5CE34C0CA6A5FC5ABE7431AA89FBEB869EC0AF0AE47D17E44A25E9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425849Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:58.879{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564E25897255C7C387CEA1F6D255B9FF,SHA256=32CF2D0256EEA7626032721B9CBD1E9944B8056893A8ABAD2F05C77918182543,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521140Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.501{5EBD8912-18B9-6154-2800-00000000FE01}2952NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0fd64d26ae25a9a58\channels\health\surveyor-20210929074145-007MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521139Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6A-6154-D800-00000000FE01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521138Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521137Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521136Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521135Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521134Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A6A-6154-D800-00000000FE01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521133Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.435{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6A-6154-D800-00000000FE01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521132Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.437{5EBD8912-1A6A-6154-D800-00000000FE01}4604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521131Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.357{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=651B9FE3C8B8B79410DF74A81C2F62DE,SHA256=C190875FE1A08BFB91B84EEE34E53550DC1D70D640B415EF155E021B3D42DB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521130Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.138{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE1FDBE911F5D3888F732A8475212CF,SHA256=D1AFF4FFF49D0BE79CEAB1F46AE57B5E0D6C4132F105DC24F35951C36A55C3DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425848Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:58.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9EAF9ECE85E532330D618DD87B7283DF,SHA256=03D2FE8B27CE3AB5BE3B84C4868FD721FA2A34CDC9818A44AB53F9820D71CE4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425850Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:59.941{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41A0859D0DCE5372FC36A27537C67B63,SHA256=C91143093F4107CAF1DD5C5365893CF8932A5B4A1EB162E83EE91682954FC2AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521151Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.767{5EBD8912-1A6B-6154-D900-00000000FE01}24924372C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521150Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6B-6154-D900-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521149Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521148Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521147Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521146Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521145Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A6B-6154-D900-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521144Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.564{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6B-6154-D900-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521143Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.565{5EBD8912-1A6B-6154-D900-00000000FE01}2492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521142Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.455{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0E016BB4004EA43F2AC2F0CC074C331,SHA256=A893AEB8652691E0C7AEE8C1BE42486CBC9DBA223B2B804AEDA1AA0437030255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521141Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F514158460D705B9ED550E85418E8B85,SHA256=E57DE04A285724D24C61DE8DBD1ED49F84D308830CA44D49591C6285077969B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425854Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:00.988{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916CA3C3D82018E8CA95D370384BE6C4,SHA256=A074111E18D0AC83B099B7AF4F3A6053A35432C85D110E2A7032674DCA19EDC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521162Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.642{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB8A50F757D9F8519398F0DAB9E702D4,SHA256=598A62F6FD230AFF68637E8332EDCC1A982BD0BB05FCBBE622B4211CF15818B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521161Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6C-6154-DA00-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521160Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521159Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521158Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521157Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521156Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A6C-6154-DA00-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521155Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.189{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6C-6154-DA00-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521154Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.191{5EBD8912-1A6C-6154-DA00-00000000FE01}5056C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521153Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.142{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2EB9AB1342E27CCC9ED1487C97B6FB2,SHA256=8588454B80ABA6EC4A244DC8035CA67EAF487EB636784BCCA031AE4C4E016A42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425853Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:00.332{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F7389F82208C43957922877BF0ABE203,SHA256=5A4E9D4A5CB3A70AAA636F3CF207A74231B8B937565A6B01AA331C0C2C867051,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425852Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:57.993{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-44336-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425851Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:48:57.959{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49819-false10.0.1.12-8000- 354300x80000000000000001521152Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:56.579{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-1764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521172Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:01.736{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B800AB8B54AE376B4565B6FE9B821A6,SHA256=F50FC0E06AD966827BFB4AE6433AA3BAB8CEE8FBB33980148908C44D41C6F066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521171Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:01.143{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3CCEC89C052EA86F44FE82D1BFA11DA,SHA256=9F100D8B93837DA58D0FEF653E5A99D3442281E535FDF2E678248B7938D22015,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521170Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.824{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-14018-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521169Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.650{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50122-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001521168Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.650{5EBD8912-18B9-6154-2700-00000000FE01}2944C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local50122-true0:0:0:0:0:0:0:1win-dc-429.attackrange.local389ldap 354300x80000000000000001521167Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.525{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50121-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521166Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.179{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-3590-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521165Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:58.083{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-30350-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521164Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:57.696{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-7862-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521163Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:57.089{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-58003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521186Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.862{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0F164D4EBF66C0487712408BCEFFD4F,SHA256=BF089755AC703BAD2A6F6FFAB53E20949A21E2DCC28C6AE8CF69DAAA894EDEF6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521185Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.612{5EBD8912-1A6E-6154-DB00-00000000FE01}35804724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521184Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6E-6154-DB00-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521183Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521182Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521181Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521180Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521179Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A6E-6154-DB00-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521178Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.393{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6E-6154-DB00-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521177Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.394{5EBD8912-1A6E-6154-DB00-00000000FE01}3580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521176Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.174{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D80442CD443AAC54BF4EDFBE144469,SHA256=36063B7E4EB9FCF241C3B96892B237A2D6CC40A676077CA0F65C5CF70A08B530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425857Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:02.770{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DCC1F43BF99EE421E0B8B229393F050A,SHA256=10BFC49B46BAC775A10B99F19DB4F26F3862BF67F452333E7D6AD4825A32A9EC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425856Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:00.459{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-47450-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425855Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:02.051{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC646AB654CC590D50C99F7DEE4B779,SHA256=03469CB03A4375AFDDABA1811406E5FB7A4EA60178C28F1FB89D168D4F48B98E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521175Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.935{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-20322-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521174Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.710{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.89.190.250-60093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521173Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:48:59.285{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-8215-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001521217Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.956{5EBD8912-1A6F-6154-DD00-00000000FE01}46484412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001521216Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.940{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DC1377154F07748C04EA16D4AA1F50FD,SHA256=32E920BB030EE6544E09887FEA65AC43DFE96E6058E967B451A7C1566EB02D9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521215Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6F-6154-DD00-00000000FE01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521214Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521213Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521212Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521211Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521210Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18A9-6154-0500-00000000FE01}416432C:\Windows\system32\csrss.exe{5EBD8912-1A6F-6154-DD00-00000000FE01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521209Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.721{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6F-6154-DD00-00000000FE01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521208Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.722{5EBD8912-1A6F-6154-DD00-00000000FE01}4648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001521207Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.284{5EBD8912-1A6F-6154-DC00-00000000FE01}55324808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001521206Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.268{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1F5CB1DA97B157ED57AEE39CE44B5E5,SHA256=35FEE27CC8DCB2FED4226E4C4D900CE95124F4713D76E9C99CAA470B490ED540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425858Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:03.082{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEFBA1CBF42E338574F132979D5B6728,SHA256=D7B08DBA5F913208A27306B881A8B6B21554835DC40411AF3846EC1D207C60DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521205Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:01.075{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-26269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521204Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.839{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34139-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521203Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.748{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521202Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.663{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-34021-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521201Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33956-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521200Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.581{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33912-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521199Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.550{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33857-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521198Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.517{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33823-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521197Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.485{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33786-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521196Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-33764-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521195Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:00.448{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-12901-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001521194Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A6F-6154-DC00-00000000FE01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521193Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521192Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521191Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521190Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521189Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-1A6F-6154-DC00-00000000FE01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521188Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.049{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A6F-6154-DC00-00000000FE01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521187Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.050{5EBD8912-1A6F-6154-DC00-00000000FE01}5532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001521221Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-22521-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521220Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:02.186{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-32233-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521219Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:01.561{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-17940-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521218Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:04.268{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE4E5A2FBE4927145DC3AD248C817DC,SHA256=BB79640A341273BB651C2182518003FA0E09846C3344906FB1D8EB04646BC996,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425859Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:04.098{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85A2E1F78D2AC2690C6E78C38F6970A8,SHA256=6CA2000C149B3DE1690412BEA6877D6558B46AC14685706D7C7205F4FA37F59E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521233Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.334{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-38411-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521232Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.135{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-37378-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521231Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.316{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE5A79D258B987429EDA85BFA4ABD51C,SHA256=B6E1EBC1FAEBF1BB0E125BFDCE8619216D3A9557BBC3C6677C701D4A69231210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425863Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:05.833{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA15BA3C23FE83343F7DBF95450B6538,SHA256=0D542DA62066BF89C234D15F2A968C4BB4B9C94B4105CC0B4BD674B99559963D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001425862Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-SetValue2021-09-29 07:49:05.614{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x7a3fb4eb) 354300x80000000000000001425861Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:02.825{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-50797-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425860Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:05.114{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80FDF92F9833C5FC0820C3FE6D54428,SHA256=956E255DDF76B1EE2A6992CD18B6A467E6E6C04A146D93E93823F88F35100264,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521230Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18BA-6154-3500-00000000FE01}32923312C:\Windows\system32\conhost.exe{5EBD8912-1A71-6154-DE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521229Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521228Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521227Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18A9-6154-0500-00000000FE01}4165172C:\Windows\system32\csrss.exe{5EBD8912-1A71-6154-DE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521226Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521225Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521224Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-18B9-6154-2900-00000000FE01}29603328C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{5EBD8912-1A71-6154-DE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521223Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.191{5EBD8912-1A71-6154-DE00-00000000FE01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{5EBD8912-18A9-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521222Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.097{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E34F219418F98301892C117BD310A65,SHA256=9D2BAA515425FC96A4CE954AE076DBBD8A2D197D6BB7AD343DD29F902DF0B165,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521238Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:04.525{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50123-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521237Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:04.434{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-44135-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521236Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:03.748{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-26975-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521235Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.316{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D0D7188986136FFEF85B2CBDAEDE9F9,SHA256=396AD938222A5B20DE8FA50693D1256B23D8E08346D0FF473B8E08C1C961320F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425865Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:03.881{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49820-false10.0.1.12-8000- 23542300x80000000000000001425864Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:06.130{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C04965EEBC5F667FD88A37800562D59,SHA256=84D79F44B39F6708309EC4F27DA7C9D07FB5984092336989EDB7B148E4AF00A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521234Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.191{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A6AB92D7619C1B4D5AF3F83F906AD4A,SHA256=BE972481CD1DBA2A5D97C70CFD8A721A309DE01BDDE8FC2691DF4183BAA0F8F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521265Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.150{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37002-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521264Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.112{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521263Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.074{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36772-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521262Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.052{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36694-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521261Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.029{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36617-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521260Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.007{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36511-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521259Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.984{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36433-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521258Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.963{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521257Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.926{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36179-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521256Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.904{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-36093-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521255Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.807{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51791-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521254Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.770{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51692-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521253Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.749{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51484-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521252Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.712{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51392-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521251Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.690{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51249-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521250Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.669{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-51113-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521249Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.647{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50989-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521248Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.625{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50754-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521247Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.589{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50651-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521246Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.567{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521245Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.545{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-50424-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521244Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.312{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40499-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521243Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.209{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40390-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521242Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:05.146{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-40252-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521241Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:04.827{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-31592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521240Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:07.645{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B0B90B05C74887C6071448233A0BE5E,SHA256=CAAE7BE367440B7C33F0E702E71C270783227092650E32FCB4575CC5105825F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521239Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:07.332{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=658CA90AA28ABC3891D5B570E654D110,SHA256=9EC57B40E1317B129C387B804B0A912BC4375BEB8EF6591C123AB8DCD9E9CEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425867Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:05.887{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-55072-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425866Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:07.130{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51BC39294ECBC6C424C169F02DAC8F42,SHA256=1B17633F179940E929DD883D21CCDD37FBD25C96746F5564C2D39948259CCE68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521280Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.982{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-57962-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521279Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.430{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-38307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521278Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.408{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-38203-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521277Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.386{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-38103-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521276Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.363{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37931-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521275Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.325{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37829-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521274Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.303{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37730-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521273Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37642-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521272Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.260{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37549-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521271Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.237{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37441-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521270Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.216{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37356-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521269Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.193{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37251-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521268Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:06.171{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-37163-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521267Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:08.832{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDA8B6AA786757BE4373AA2001F3965D,SHA256=EBE149635D640C84987C80BA810D86276DE5C20D4F595956BE87FA92F8F5EBA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521266Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:08.395{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A027E31437F9610C29662A3E41AE87D1,SHA256=C2175D5645C119786FCC96912893154AC2890F66E6E4024759A9AC02EB234EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425869Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:08.521{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53B99D749A55AAA459C641ACB485A30C,SHA256=6D811AC92E1CF1DA41EBA8EDDBD90FB41D4992A3AFB5E439A3411A7DE4CE64D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425868Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:08.161{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAFA2A5790CF7DCA3C7BA937D8E297AD,SHA256=90DA24D38AD47E953E5FB45C642C986F8F31C3B80CC8427F7F33F31DB5225E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521282Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:09.848{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=87130BF431B41A9F723D5815DA0D385E,SHA256=820524F8926A202FAE2478AD47B0DEE31CC580575C209C990FE289FE31DEFC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521281Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:09.536{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A21D8E248282EBD8DCF0125DC1C5113,SHA256=6242A7E61175274FEC10A6212B3B6CE32965097A83EC8CDEC623AF3E8FBA7BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425870Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:09.177{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=222D9987AFCEBD49C96B0990D23DD802,SHA256=53E191E50EE04B33888FC26E4A172B1CDACF2AC2324B954355C6C130AC4A0E59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521287Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:08.857{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-48289-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521286Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:08.092{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-4957-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521285Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:07.737{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-43203-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521284Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:10.927{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=989A515773248FC7A9FE1762A34C20FF,SHA256=696E616089EBD5A3AD85418334EF9989168EC466FA1619A9F1E6EBEDC0AC6A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521283Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:10.536{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46CF603BC3E4AB536360A78DAECDD27,SHA256=7FB22FA78DD733E65A7D673C568E725EC42E52D7840F1F7A33F42F22D25B75ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425872Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:08.544{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-58083-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425871Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:10.193{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B83DE878593B09A1D06BCDDBD91F78,SHA256=F31569C7B74072430C234467BC18140B3F01B9CFBAD986E9548DB3C5E779269F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521290Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:09.529{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-45210-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521289Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:09.170{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-10762-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521288Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:11.536{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5625172B8FFEE1102F2314077744B589,SHA256=46B76C6246539E4848A0F55826D34318272327B2BD0E60FA35C02A045287BA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425874Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:09.834{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49821-false10.0.1.12-8000- 23542300x80000000000000001425873Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:11.209{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5EB9DE57030908FF92137B1DA873965,SHA256=B80275066A6F38A21A93C135BA18AF940D8A2CE0F9DB3119B5D58E152571530E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425875Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:12.271{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C1EF92309C6FF857B4B50415EE6625,SHA256=5E4FCE82B83550C409CFAE04AEAAB509CE9B13C97F17242C340BD6DD22F985FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521292Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.537{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=994144117653768EF70669954B22E47D,SHA256=2EE022E6F47929CE34943CE2F044CADA8F8054A8B4F8980E55EF4C357CD6FE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521291Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.052{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=66B7F14DD98DD64E4887DA18DAA600C2,SHA256=B0A3E014EAFD3D6C408840CBC7AB4E177F506EF214166E8AC425BBCADB76B9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521298Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:13.537{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1BBAF0805F91DBB1C1C5F8D844AB215,SHA256=35F81017CE78E2AA2F6C250E2C346EA84CC655BC6AE995644DFB300DC9F325EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425878Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:13.882{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF837916A38D7E7FFB7F080B60D09972,SHA256=55FD41D804D37E68B62A2499F7C7CDF6ADF08410C006581C854D26A99E950120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425877Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:13.882{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=89EBED251B6B6DC37C62991D0478885F,SHA256=4E5D2C1A5B7F615E827B5E32DC47FA9D9EAD4FFF08D1471A9B1A1FBE15474570,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425876Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:13.428{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=790424E7F51CF64855591651EAC65DDE,SHA256=281EF34C84E3903B2B31833F066728B385DCFA61800FA0BC926D30EC30C1B5E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521297Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:13.177{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B936E0EEB29AF23163548965C46CD46,SHA256=710A2FCDE72E87AE87D5D3D7CA3BD74C924C8A6483C23D586ED042A82C9BBA0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521296Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:11.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-57508-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521295Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:10.462{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50124-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521294Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:10.262{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-16479-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521293Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:09.937{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-52974-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521301Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:14.975{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F85ECC0C78621778B12C4BF3631D9FF7,SHA256=D6DADD6F4D76569F57C3CAE22523EC4F3D85FF7B7319A3A07CA01E471B585775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521300Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:14.553{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC762870437866E1098ACD532C8F2D8A,SHA256=3B19E6D2D2600C99F2A71B3CDB2487320CBD888ED3A7A32BDC32280338140F4F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425898Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1400-00000000FE01}368C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425897Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425896Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189D-6154-3A00-00000000FE01}2976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425895Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189B-6154-2700-00000000FE01}2620C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425894Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1500-00000000FE01}1056C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425893Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1600-00000000FE01}1164C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425892Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425891Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425890Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1F00-00000000FE01}1976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425889Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425888Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425887Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0F00-00000000FE01}956C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425886Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0E00-00000000FE01}892C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425885Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425884Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425883Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425882Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.897{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-0C00-00000000FE01}732C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425881Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.444{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29B190B3EA90D086D96C9EED921FEE85,SHA256=63076F1A8627343553C4728B5080085C11070CA73954034E34AA3EBFE3E8468A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425880Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.444{69CF5F33-189A-6154-1C00-00000000FE01}1940NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521299Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:11.387{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-22475-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425879Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.350{69CF5F33-1899-6154-1300-00000000FE01}296NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=550AF1768AB12FE322224E1EAEF38924,SHA256=B904305BF5A8E9144FCDDCF1E739568D7369F8400584D372861C5EFE12FBBB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425899Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:15.444{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1426BDF13706070B096059A23C09E391,SHA256=8121EC4758C6F14A0589A6E5276A7CEB5FF3105C3F8955E0849F5D34B645E273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521324Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.569{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A554B01CBC1746DCA7E4F1A5E09F94,SHA256=FAC1B076130B8DC328FD3CE7E6B3675B7BC4B449140D0AD8ADCCC503F59E0F21,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521323Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521322Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521321Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521320Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.397{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521319Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A7B-6154-E000-00000000FE01}5428C:\Windows\System32\InstallAgent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+54c6|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521318Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-194C-6154-9000-00000000FE01}28444276C:\Windows\system32\csrss.exe{5EBD8912-1A7B-6154-E000-00000000FE01}5428C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521317Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521316Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521315Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521314Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}852884C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521313Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18A9-6154-0500-00000000FE01}416540C:\Windows\system32\csrss.exe{5EBD8912-1A7B-6154-E000-00000000FE01}5428C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001521312Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.381{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-1A7B-6154-E000-00000000FE01}5428C:\Windows\System32\InstallAgent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+37172|c:\windows\system32\rpcss.dll+3df8d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001521311Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.382{5EBD8912-1A7B-6154-E000-00000000FE01}5428C:\Windows\System32\InstallAgent.exe10.0.14393.4169 (rs1_release.210107-1130)InstallAgentMicrosoft® Windows® Operating SystemMicrosoft CorporationInstallAgent.exeC:\Windows\System32\InstallAgent.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{5EBD8912-194D-6154-AD8A-090000000000}0x98aad2HighMD5=88C7DCDD735B31E4F5620E4B9F38C87F,SHA256=5EF1322B96F176C4EA4B8304CAF8B45E2E42C3188AA82ED1FD6196AFC04B7297,IMPHASH=EAB6EF3DE625719627DC808B5F0501FC{5EBD8912-18AB-6154-0C00-00000000FE01}852C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001521310Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.350{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521309Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.350{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521308Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.350{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521307Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.350{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521306Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.350{5EBD8912-18AB-6154-0C00-00000000FE01}8524180C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001521305Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.519{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28607-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521304Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.42.23-28488-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521303Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.136{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-48562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521302Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:12.092{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-3097-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001425904Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.944{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49823-false10.0.1.12-8000- 354300x80000000000000001425903Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.210{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-6315-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001425902Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:14.209{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49822-false10.0.1.12-8089- 23542300x80000000000000001425901Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:16.819{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF837916A38D7E7FFB7F080B60D09972,SHA256=55FD41D804D37E68B62A2499F7C7CDF6ADF08410C006581C854D26A99E950120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425900Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:16.460{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAE32B7837B998EC24CC6969453B5F27,SHA256=43689C02BE4FEA4F187E3CA85A0A2B55738D39A6A4CEEFAA64ABA2CE7D98D62D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521328Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:16.569{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5CD13A19B53676464516B4AA7534369,SHA256=B236C843A6C6934080E2FF2EE3C4128FE2D853A9AC36E32E66D79B9073D65B6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521327Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:13.615{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-50399-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521326Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:13.184{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-7545-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521325Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:16.038{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6EE923C753EF51C863D5DF637F2A4787,SHA256=3B0813FE8B4CFCD5F21D249B0649C7D418BEEE24F397DC59FE5FF8118BF04CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521334Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:17.569{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7D19AA921FE095486E4A38F10BAFDE,SHA256=588ED9B47613DB7F7E5111CF9BEA9EF815D77E87B5CC37297C4D848F5BB16602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425905Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:17.475{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D69862A0C69CA0B78304861E9237EB8,SHA256=7822D0743A6D07628D1B95C2A989062C2793E6F6A67F2E1E59D66FE03EDB126D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001521333Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-SetValue2021-09-29 07:49:17.226{5EBD8912-18AC-6154-1200-00000000FE01}452C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d7b506-0x812b7f80) 23542300x80000000000000001521332Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:17.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ED64FF343C7853493A97F62898D70508,SHA256=7326A93773593D909D813123167DC14ED31C0472B647211DCF264B42845700E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521331Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:17.210{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=591F49E45191CF7E1F92BA1849068EA8,SHA256=808A4EAFCCB33006CFDAC372A77777F5B846C9F9C683EADD48F3E7FEF7236326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521330Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:17.069{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4ECA5DF4DC39583F473DF12284696AD1,SHA256=BF12D65184CEA600D587C7511FC8DB1AFF3455612E11ECFE0A0DF287350DE2C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521329Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:14.295{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-12130-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521336Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:18.585{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5060DD1562041226C09D373FDEC3E3A0,SHA256=840FF92671E700DF1E765AF91291882E85B6C463DF4E54A0E8E6199F9424C467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425906Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:18.491{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=207478054E6EDAA3710DBD1B2E20DCDA,SHA256=A3DA192A86ABE0D7BA4907FCA899029B7EF52B10DBE08EDBEC4C4A85A994CBB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521335Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:18.257{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=31E4A8CBCA2161C3FDAA5EEB0A270FBF,SHA256=A0BEF93A7ADF57726DE1747908AD8EF6D78335D5809AE9ADF1EE5BDED5AB5F9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521346Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:19.601{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F91463605EEFBCDF462E7B75194FF158,SHA256=49920C9F1AC93DCDC7CE3D326C18F2D573E57694A9C29A4071C93E8904B6FFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425910Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:19.507{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=477DBB9A2CDD242DB5DCE1083C883768,SHA256=39FD2DD3AA8E24187973E8181EC1BA057692B720246DC32917026080E07F9F27,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001521345Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:49:19.539{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001521344Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:49:19.507{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitmodules\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001521343Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:49:19.507{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitignore\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001521342Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1060,RunKeySetValue2021-09-29 07:49:19.507{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.gitattributes\OpenWithProgids\txtfileBinary Data 13241300x80000000000000001521341Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.localT1042SetValue2021-09-29 07:49:19.507{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXEHKU\S-1-5-21-2741910449-3045839080-4200281267-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefileBinary Data 354300x80000000000000001521340Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:16.912{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-53869-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521339Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:16.498{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-21374-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521338Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.541{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521337Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:15.387{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.14-16571-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425909Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:19.319{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD7AD3399C50079B0CA56B47131EB178,SHA256=D4140B39C9B49EC84D0A7E9DEC096520FABB2C2CA52F3B5F68E4086519561AE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425908Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:19.116{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1200-00000000FE01}1020C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001425907Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:17.030{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-9846-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425912Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:20.554{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEEF8B1D0A6B5626738E8797553B7564,SHA256=9A526E1A477485E7966327CB37872E67B89627FF517961417E9DB8D1A6FA7202,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521347Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:20.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAD3134D1F0DD279A17D6C408DD3A53,SHA256=BDF810EFCFB48A84AF295E8FCD09680A0C9E6D2C6D5D1FCAF4961423C1425303,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425911Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:20.496{69CF5F33-1899-6154-0D00-00000000FE01}7923036C:\Windows\system32\svchost.exe{69CF5F33-1899-6154-1100-00000000FE01}972C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001521350Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:21.617{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04958B0565E3773922B60250FAF6C9F9,SHA256=8DBA12E46AAF420C3B19F4B4C22EE27C59DC032AC1BD0130420EDE375A1DDF14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425914Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:21.976{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D265A87F7FFFA71DA29DEB4A1445A1E,SHA256=AE1D45F97A99314EF91AAF25576D8E3E6EA425111ACAA9C0DC73D1CE35D31E32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425913Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:21.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95777BD51FAEED12F168E2730F5F21A,SHA256=DCA2A76AD10FD17FE51A6E0DBB744581DAB677F1717ADEF657586E988A90D582,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521349Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:21.524{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=862BD059485C11723BA454A6217E42CF,SHA256=68F13338BE20DB5CE4F48999A6ACEC3D7134A5FC9FF9C0462727FD43D21DE105,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521348Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:19.011{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-57051-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521351Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:22.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9493CF92B5F010C2439301A9E45E70B2,SHA256=49271FBD6F7875534FB50C2480A2DC0F2FE01ACD5EC9606053A2422626C0CF20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425917Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:22.570{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279C0B8982E0E65CDC5A6570330F7FB8,SHA256=7E37B85AAFD94B624721C0CD31F576F22C4B3F84C31182E83CA462E3BE0709B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425916Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:20.803{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49824-false10.0.1.12-8000- 354300x80000000000000001425915Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:19.736{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-13547-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001521352Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:23.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C3702EE6542342B9BC873719BF2FE7D,SHA256=F4F1C8FF8393265654EA91F67DE1A6BF6C8C9FADB453190FF1366789FF812D5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425919Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:23.883{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F028980469A1D44907F5DA1D5A13AEF,SHA256=7DF1F1708431A5CF15FAEAD6AF96A302E2F2EE5C70764D0665412AD0A521887A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425918Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:23.602{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC940D9097C582C2ECE94DC8ECC317A9,SHA256=3A5A74DA646F936B7923DD51D4343C612881FEF41F72017A49C448527014BF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521355Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:24.751{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=259F2F3EBE55A825F9FE7D1D4367A8EB,SHA256=130D535684BC97947A502FD9AE4E322EC36A64F720B1DBCCBE84F6A8639B6020,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425922Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:24.633{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453B81DA023429AD11240A9AA42746BE,SHA256=D55BF94AF66F95187FF620ED61750DFA44F4EF8F620D2004D30B6BCB1D535188,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521354Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:21.843{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-1643-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521353Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:21.549{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001425921Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:22.104{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.15win-host-542.attackrange.local138netbios-dgm 354300x80000000000000001425920Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:22.104{69CF5F33-1895-6154-0100-00000000FE01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-542.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x80000000000000001521357Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:25.752{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=278B64B4FB8ADE03189B1C64A14FEC52,SHA256=724FB0C1D5CC86BF016E81935853A043974C441585CD73DFF1279A9C2409E7D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425924Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:25.664{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68CCBA6CB385A08D7E05EB7BC6722E54,SHA256=EFC7E9F20C2EE2CE458677C491B28ABAA5AE60E37D1DB3E17ED8D895C4918868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521356Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:25.376{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C4436346AF2D95DBF4B9D834718A309,SHA256=96A33D5034FC1C466FDEB14228F01846E8340A830FD644FBB3229F33AF46E990,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425923Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:22.373{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-16837-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001521358Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:26.767{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED905A17518F722ACDDB95D2B2EC640,SHA256=8C17F1EF094CF1CBBCB4F1DCD39A1193CDDB4982D145F9B58ADC22894B50D75E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425926Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:26.680{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95BCB229D1CE0B060AFFBA514C4B1C7C,SHA256=59DE8F1250140D1D28E402CBD076D58D36EB806F2946E28C0184BD8FE352E34E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425925Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:24.490{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-20417-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001521360Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:27.768{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF8357A001743BDB3B588F713873D5,SHA256=2DC9F293675C588C542A68EF091F692232A567A419BD7C33359912A34FBA6089,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425928Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:27.883{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6B32DB6EDE98744AB5644A9CDA7EDBC9,SHA256=199C01079F1596F981097064DECD283BC28B3479ECAF7C656D685655B6D3BDA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425927Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:27.696{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C8D7834BC8F9051549A7F152862F52,SHA256=F93AF4B74B2C1F7A94D1E118EAEEFF4F88A71356357F302DDDD75FCC71D067A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521359Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:24.980{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-4839-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521361Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:28.768{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97C9E5579EACDB784CB1FF64D366B4F5,SHA256=3D7F8A8E35A091766FB84E3B465D5D0CE7902B6FC451E84A7AC41303DE65FBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425944Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.741{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F09CBD429E2EE7C2675B87857B47A7E2,SHA256=897CB3D4178E4DAE0E27C9712993EDDA03DA23060A8C939E7D745F15CD83FF08,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425943Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:25.975{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49825-false10.0.1.12-8000- 10341000x80000000000000001425942Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.559{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A88-6154-B200-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425941Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.558{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425940Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425939Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425938Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425937Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425936Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425935Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425934Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425933Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425932Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.557{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1A88-6154-B200-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425931Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.556{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A88-6154-B200-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425930Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.556{69CF5F33-1A88-6154-B200-00000000FE01}3124C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425929Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.483{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\respondent-20210929074117-007MD5=0702FCA431B00B594F1E453E1BACB4E7,SHA256=E8701800C5303E9A26BD1B4295F1925FD873002633D318A1D6DD61AA6CF56A5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521363Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:27.346{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001521362Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:29.768{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D7881A6849D5B7DC3A9F0C49AE8539,SHA256=B08894FA9677226F37ED45D447EC22C92C9C344EAB0F93E607F4CE4EAAFA1652,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425961Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.796{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111107BB06F1CB7CDDF42CA371C7F542,SHA256=4B318536648DDF2C5471BCE988128D8D99820738AE13CF0489012F6E6621E789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425960Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.608{69CF5F33-1A89-6154-B300-00000000FE01}3803140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001425959Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.577{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F430D508DD362AE066F0CA08BD7010,SHA256=76EA19378A2A7100A33846A1952732A22C6B9123BAD2D44A8222489AAD1351C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425958Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.492{69CF5F33-189A-6154-1B00-00000000FE01}1932NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0a7b4daf9c254f4db\channels\health\surveyor-20210929074115-008MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001425957Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A89-6154-B300-00000000FE01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425956Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425955Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425954Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425953Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425952Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425951Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425950Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425949Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425948Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425947Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A89-6154-B300-00000000FE01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425946Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A89-6154-B300-00000000FE01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425945Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:29.335{69CF5F33-1A89-6154-B300-00000000FE01}380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521365Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:30.815{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1876C96F1CFFF26424F6321CE9EFA59E,SHA256=1651E2783DD0FF7B62451653A3121A74578AC509023AF8ED0D81719ED5235C35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425976Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.798{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF1D540F7B59071AFA4AEFA504F04FEE,SHA256=C849B02AC42CDA015104C9C5E4EC8AE9E32E34BF0B0C9A344E85DA3C1405FF54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521364Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:30.347{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1E14AF5BB3691DD8124002B298EAE7DD,SHA256=D87A837AB26D3467CB469CE8C9DD5ED5BA244703D0BF0D3DABFC4C9D39DD2B3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425975Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:28.340{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-24723-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 10341000x80000000000000001425974Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A8A-6154-B400-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425973Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425972Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425971Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425970Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425969Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425968Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425967Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425966Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425965Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001425964Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A8A-6154-B400-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001425963Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A8A-6154-B400-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001425962Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.361{69CF5F33-1A8A-6154-B400-00000000FE01}740C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521366Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:31.816{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9204BDE27530C52FEED42F308130AB88,SHA256=2DC3B1A16DA4E117F9E5EE829892E0CDD52CC404E3FD43A7D6689ACA0010E590,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425978Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:31.845{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF260A3650AE34E83D09BB1A53028FFC,SHA256=4998CCB4F5AEEB6B718D6FF826C16F374DAD622F87DB7F720439697ED83520C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425977Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:31.423{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=91D8B0EDA4253B528ADC23A8BA91728D,SHA256=AE16B886704DE0C5A33A4FBB384BD59D594E3939AC2B5D01F7679CF8DDA39AED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425980Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:32.861{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=597EAD6B2F05531F6C5F79B77280FE2D,SHA256=4559D97CAB3D2A17D36204C73F78E06EA5E58A35B80C6CE15A956ECF9C2323F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521368Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:32.925{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1E12D0470CB5DEDB3978EF69E5926ED,SHA256=38B49C3517D3AB4F85E25055D2F58F8C1E417AF123B6034F09DC17B0958B6C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521367Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:32.832{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC9D5DB9A938385BD8E0358ED0D595C,SHA256=3C861711EAC4859D776C4537C31DC7CEA5537FE7B546C21C2AFAAB4D8ECBEF4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425979Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:30.305{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-28167-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001521387Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:30.466{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-11568-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521386Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.847{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BE147FB52923409B97CAB846841ACAE,SHA256=C97AD45DD6AFBB642BEB835E743254AD4516C78164613850EAD32FAC88AEA788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425983Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:33.908{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E451D6EFFE6F7C505F665A466C444CE7,SHA256=95F79DB1CDC207AA796621F42552F3E972816586EE394FBC8D3FF2873FDDCE3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425982Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:31.889{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49826-false10.0.1.12-8000- 23542300x80000000000000001425981Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:33.158{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=164F54793F47B4E454FC256E275AD0FE,SHA256=4AA613878DC42D44FF9F56B04037E5E3B81207EE4C07B0F101577125EB85C252,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521385Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18BB-6154-4900-00000000FE01}3840C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521384Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18BA-6154-3F00-00000000FE01}3532C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521383Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2F00-00000000FE01}2408C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521382Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521381Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-3100-00000000FE01}2788C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521380Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2A00-00000000FE01}2976C:\Windows\sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521379Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18A9-6154-0B00-00000000FE01}640C:\Windows\system32\lsass.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521378Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1400-00000000FE01}948C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521377Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1500-00000000FE01}1236C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521376Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521375Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521374Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1000-00000000FE01}440C:\Windows\system32\dwm.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521373Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1600-00000000FE01}1272C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521372Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0E00-00000000FE01}1012C:\Windows\system32\LogonUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521371Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-1300-00000000FE01}692C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521370Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.566{5EBD8912-18AB-6154-0D00-00000000FE01}9083516C:\Windows\system32\svchost.exe{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+b877|c:\windows\system32\rpcss.dll+85f7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001521369Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.191{5EBD8912-18AC-6154-1100-00000000FE01}444NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B7496895931F7E209D17343BD71A1B53,SHA256=60E178EEF885B5E737EF303C215822CB62F64660E0573954811B1B6481E91E5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521389Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:32.471{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001521388Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:34.848{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D59F167734E45D72E66B5C7AA7EE68,SHA256=83DFB6E477BEF3C8D88399872F28770B56159121CB4A24FDEAC54E6C30F4215F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425984Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:34.924{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7AA29A87C41E5D96D28D750E1637635,SHA256=F66EA70C6021553D461DB49404990FC035A9D7597DF3517BFA1DAD333629E6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521393Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:35.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7A94DCF62298236F333925395B009C9C,SHA256=D358281E6B18A6A01D58F7F3D365D7C860012FB51974ABAB8E5783A9B055264B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521392Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:35.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A0536F1BCE0535B1177792AE40646B,SHA256=BD10F49B9EADFB8253EE5FC711040A7FD14C30103601F4B3CC08407053836049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521391Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:35.879{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=ED64FF343C7853493A97F62898D70508,SHA256=7326A93773593D909D813123167DC14ED31C0472B647211DCF264B42845700E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521390Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:33.274{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-14435-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001425986Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:35.940{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E3F8FCCB3CA2FCEDA2953E7D9E632BC,SHA256=09797418E799DB10A30D4553823B63212F4F508509D5877FC6E1935319BDE482,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425985Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:33.596{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-31672-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425988Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:36.956{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC8D6303203B0F65426B7D6FE1E4985,SHA256=821E0A2D908834139EA1DA8380B6958E828648D956571F78B85E3C85D19D4DEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521397Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:36.895{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=869909C54E5699ACFB68D8C6391C8AC8,SHA256=F98830F85DC92D491B7E7CC449781900E759A4B8CB69FE834F8DB591E000EA43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521396Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:34.353{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-22003-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521395Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:34.267{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-21919-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521394Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:36.239{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D90018DE010C81F53BE700C574DF2E5E,SHA256=054389A2D7DEC59C282F6EB7718DBA6B17A36DE9989E0DAF2CD738581BB7E4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425987Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:36.299{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F504359AE63FECB077C9270BBA1BBFF,SHA256=9934FC34301D4A5AB1A8E416B434BEBC0A975291787BB3D669C484EE75B1C018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521399Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:37.895{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4F67C1F83BFF46BC9FF5C7A0D40A8E,SHA256=19304F2E202C65216AB01F08BF6AA1ABCF60DC68D49BF712169D9666E8B65225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521398Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:37.630{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10624D1C1FA7AE6377F96E6EAF52DC14,SHA256=09C28AF5F3B68FF5E53D286553BD601BDFAF2A56991C4F1423D3A09678577DDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521404Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:36.944{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-34932-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521403Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:36.080{5EBD8912-18B9-6154-2B00-00000000FE01}3056C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-429.attackrange.local49988- 354300x80000000000000001521402Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:35.732{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-27959-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521401Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:38.896{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E7B82934038A9B0359C213B504ED924,SHA256=B415AEDB4B4E7C8A4ECB5FBA61C0EBDFCC14A30C2056C912E38E99CDE2D8AE63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425989Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:38.003{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFDD8B92E00A4A2CA2BFB3F34C8CBE8C,SHA256=568A72830D1B4438854345A864507CB6081FE1D5156674ABD0AB7ABD753423B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521400Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:38.708{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B2A1C1D35A5BC84FB6C02E7DF8ADD0F,SHA256=722A6AB39DD23E92693C939D29C47F633B0F577DB95FA246BFE6EF7C9A6624DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521406Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:39.959{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25D030027D3728E52311C90AF664EA3A,SHA256=8305D931BA12F1F09FC2C6DAE0FF5F5233FEFD1CB65178A286E6CEC7CAF3D8F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521405Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:39.896{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14E7039F5E1C9E39C2260B666DFA11D4,SHA256=C64680CEB9D5D0D5DB944960E2891C37AF75D2CB840CA3249E4348ED5A42A47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425992Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:39.472{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=098C4BB1FF2B94D0398195F0ECA84B51,SHA256=232EE35F6B7EFC57C810AD16ACA821C691C7757E2B0B5DB37F9ECC813B6F0D10,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425991Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:36.630{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-35578-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425990Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:39.019{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=362B52EC75591506FA062DC7E02DDD2F,SHA256=959424A59E586630303966446032FF00EA14ACE4D95C583AEA9EAE25D95DFE6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521409Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:38.299{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50129-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001521408Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:38.054{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-40670-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521407Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.896{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=874BEC3EBFA9191183796A9770A18116,SHA256=698F05D23259D3E059B490D76BDD4C9558C0D74C462EFA18BC995D4581A47327,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425994Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:37.811{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49827-false10.0.1.12-8000- 23542300x80000000000000001425993Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:40.034{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46478A04D4F473B1F51B66BF2619FED7,SHA256=6350C83AA2428F848A1B6555FD6C75B3FDCFFDA8903090D865F4629FDCF8CA72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521412Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:39.287{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-46363-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001521411Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:41.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C376EF2AE701C4EF172D86B89AB514,SHA256=7023943F972F9D1243ABF1662A14DC12E2BF7BF644128F69422F092676F27F9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425995Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:41.050{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=704F7EECCD858FF6049D15FA1C078EDB,SHA256=04F1F530481B30B81A71F61B7DD7CB608446075E3E9FAE7F171B8B1C8162ED13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521410Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:41.084{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B015E6C90C6A8C291FDB13434DDC934F,SHA256=68A2580502DF0E086C267BAF2E90A06F6B55C4FC8CE120AD7B5E620A2D1B4437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521413Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:42.912{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DD0A26266EE08EA7C8D6AD436A99AE,SHA256=17394773275181A086C11824D5FB1DF07139D607CB80D9BAA73972EB33FA921A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001425998Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:42.707{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F409334C5E0B19AD8C4533C0EBDC0C2C,SHA256=1EF1E31592C8410281C1F51D0EA0DE2A2BAEF4D411C712065F88FD575A20A776,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001425997Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:39.732{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-39473-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 23542300x80000000000000001425996Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:42.097{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAF659A59612C5A70996D607848FECFA,SHA256=46DAB10635EC4ED57BB81DB08766A2969EFD311B2342004E460DB43EF6A5E356,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001426026Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A97-6154-B600-00000000FE01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426025Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426024Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426023Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426022Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426021Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426020Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426019Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426018Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426017Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426016Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-1898-6154-0500-00000000FE01}420436C:\Windows\system32\csrss.exe{69CF5F33-1A97-6154-B600-00000000FE01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001426015Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.879{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A97-6154-B600-00000000FE01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001426014Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.880{69CF5F33-1A97-6154-B600-00000000FE01}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001426013Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.644{69CF5F33-1A97-6154-B500-00000000FE01}30282336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426012Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A97-6154-B500-00000000FE01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426011Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426010Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426009Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426008Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426007Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426006Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426005Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426004Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426003Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426002Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-1898-6154-0500-00000000FE01}420536C:\Windows\system32\csrss.exe{69CF5F33-1A97-6154-B500-00000000FE01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001426001Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.379{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A97-6154-B500-00000000FE01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001426000Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.380{69CF5F33-1A97-6154-B500-00000000FE01}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001425999Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:43.144{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1882366876292A39CA0B4C26DE9F6526,SHA256=9CB4724BFE7020D4C0E69BDD40E3F6DB47E788F1D3668946C99AAE1F54D163E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001521458Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521457Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521456Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A400-00000000FE01}5508C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521455Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521454Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-18B9-6154-2C00-00000000FE01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521453Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521452Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521451Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521450Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521449Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521448Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521447Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521446Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521445Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521444Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521443Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521442Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521441Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521440Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-194F-6154-A100-00000000FE01}4472C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521439Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521438Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521437Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521436Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521435Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521434Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521433Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+d6ee|c:\windows\system32\rpcss.dll+c72a|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001521432Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.865{5EBD8912-18AB-6154-0D00-00000000FE01}908928C:\Windows\system32\svchost.exe{5EBD8912-1951-6154-A300-00000000FE01}5392C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+fa21|c:\windows\system32\rpcss.dll+c604|c:\windows\system32\rpcss.dll+dade|c:\windows\system32\rpcss.dll+a6fb|c:\windows\system32\rpcss.dll+43a41|c:\windows\system32\rpcss.dll+43b72|c:\windows\system32\rpcss.dll+43eaf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001521431Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.924{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54977-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521430Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.893{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54900-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521429Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.866{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54725-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521428Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.830{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54519-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521427Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.797{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-54285-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521426Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.759{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53970-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521425Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.722{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53812-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521424Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.700{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53575-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521423Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.658{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53417-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521422Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.625{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53268-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521421Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.579{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53120-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521420Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.541{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-53027-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521419Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.518{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52902-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521418Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.495{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52777-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521417Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.473{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52530-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521416Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.435{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52277-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521415Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:40.398{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-52131-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521414Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:39.951{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-22960-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 10341000x80000000000000001426043Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.691{69CF5F33-1A98-6154-B700-00000000FE01}40401204C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426042Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A98-6154-B700-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001426041Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F0EE20FC526FC243C6E61F9780D8AC3,SHA256=369058186D815A141B50CDDFB1D32C514410474B6C6B91D27FBA26F8061F9164,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001426040Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426039Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426038Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A98-6154-B700-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001426037Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B9A1F26BEA5FD1F71E69E334A317B67,SHA256=D4CFF30F2709F97E07A060D83EFC9681AED118F898432F0F94BB7108728DE589,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001426036Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426035Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426034Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A98-6154-B700-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426033Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426032Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426031Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426030Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426029Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.520{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001426028Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.522{69CF5F33-1A98-6154-B700-00000000FE01}4040C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001521461Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.944{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=03DA7A6B3EE8828F781EB18FF7E40A2A,SHA256=1D3747CF9FFB61B10624BA81E555A1332B7D9C37A7B3C5B1617208706ED13468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521460Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.460{5EBD8912-18B9-6154-2900-00000000FE01}2960NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=72F9D15A308A3AFACD92589D17F2C03E,SHA256=E0EA3012FF17D797A034C0E7F787325C50EBFE6C56FB1128CC9B4A2A94A03D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521459Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.303{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F232697C91975B5B89BCE1933A4A22B,SHA256=E5CA9A6910205E4152C1F288CF350E57D779D864B9448CFE5D3507F45F15AE65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001426027Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:44.019{69CF5F33-1A97-6154-B600-00000000FE01}34162000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001426060Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.692{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CA945C668750AB5CEC7C553D91A9CB6,SHA256=CD58D537593294979F0782A938D02F59C74FD43FFDEE8B842891327EC846D56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001426059Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.535{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E297F4CB3E133AD5DF843284EA504DD,SHA256=B2E06F9A00CB60A0E7AC62883F6949B1251D64D49DC419DC1411F57ACFDE75FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521465Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CC330C8E0571E418EEF4D00A0FE71B6,SHA256=0518AFD5E95C8AD7494B460E3E052D1C07AA48DAD312201AE1873828D3FB5FA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001426058Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:42.944{69CF5F33-1899-6154-1000-00000000FE01}964C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.218-44003-false10.0.1.15win-host-542.attackrange.local3389ms-wbt-server 354300x80000000000000001426057Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:42.842{69CF5F33-18A6-6154-6300-00000000FE01}3980C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-542.attackrange.local49828-false10.0.1.12-8000- 10341000x80000000000000001426056Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-189B-6154-2B00-00000000FE01}28322852C:\Windows\system32\conhost.exe{69CF5F33-1A99-6154-B800-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426055Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426054Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426053Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426052Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426051Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426050Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426049Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426048Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426047Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1899-6154-0C00-00000000FE01}732868C:\Windows\system32\svchost.exe{69CF5F33-189A-6154-1E00-00000000FE01}1968C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001426046Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1898-6154-0500-00000000FE01}420372C:\Windows\system32\csrss.exe{69CF5F33-1A99-6154-B800-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001426045Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-189A-6154-1C00-00000000FE01}19403840C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{69CF5F33-1A99-6154-B800-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001426044Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:45.192{69CF5F33-1A99-6154-B800-00000000FE01}2016C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{69CF5F33-1898-6154-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{69CF5F33-189A-6154-1C00-00000000FE01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001521464Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:42.361{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26231-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521463Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:42.181{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26128-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521462Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:42.106{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse80.66.88.125-26031-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 23542300x80000000000000001426061Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:46.551{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB7C956F29BDD75BAC8F0403E82FCF0,SHA256=F6DD11A5F27FEA74B73F24E0205E56DC7C1346DD4F616A26628D77F1C53A8737,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001521473Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:46.319{5EBD8912-18CB-6154-7700-00000000FE01}1336NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55AAD9F54503DBEA641DF5FA2DF2BDF8,SHA256=21D9D43AB4EAC00AA909FA01B8A4ABE28FA432F379664EFD9120D4C92901BF22,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521472Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.130{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11262-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521471Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.108{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10939-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521470Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.070{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10749-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521469Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.040{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-10592-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521468Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.964{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-55015-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521467Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.736{5EBD8912-18B9-6154-2900-00000000FE01}2960C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x80000000000000001521466Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:43.377{5EBD8912-18C4-6154-6E00-00000000FE01}4004C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-429.attackrange.local50130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001426063Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:47.598{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AC44825D068005210F6126878E313D7,SHA256=E25B2B428ABF08CB7C6F1FAAED140D131846BAEF7C02C43BFFDEE030404F10DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001426062Microsoft-Windows-Sysmon/Operationalwin-host-542.attackrange.local-2021-09-29 07:49:47.567{69CF5F33-18AE-6154-6C00-00000000FE01}3364NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB448B09DB61C35E82F32A82686C8C20,SHA256=E2B17B26F96C8E1C46714B77B12601A09E120E7F1E4A57253B6127D24C355D4B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001521510Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.188{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16756-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521509Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.165{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16650-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521508Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.129{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16555-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521507Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.107{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16430-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521506Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.071{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16373-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521505Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.050{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16269-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521504Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:45.014{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16167-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521503Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.977{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16087-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521502Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.955{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-16005-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521501Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.933{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15738-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521500Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.895{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15539-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521499Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.873{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15332-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521498Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.839{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15258-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521497Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.817{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-15098-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521496Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.778{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14958-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521495Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.755{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14758-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521494Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.718{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14645-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521493Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.684{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14578-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521492Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.661{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14474-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521491Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.640{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14366-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521490Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.618{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14233-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521489Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.593{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-14075-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521488Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.556{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13917-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521487Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.534{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521486Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.497{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13666-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521485Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.475{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13384-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521484Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.438{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13134-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521483Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.400{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-13043-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521482Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.376{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12825-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521481Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.342{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12562-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521480Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.305{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12307-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521479Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.282{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-12202-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521478Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.255{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11996-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521477Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.233{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11874-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521476Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.210{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11733-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521475Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.174{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11599-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server 354300x80000000000000001521474Microsoft-Windows-Sysmon/Operationalwin-dc-429.attackrange.local-2021-09-29 07:49:44.152{5EBD8912-18AC-6154-0F00-00000000FE01}96C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse94.232.43.31-11415-false10.0.1.14win-dc-429.attackrange.local3389ms-wbt-server